ID: 43311 Comment by: crrodriguez+php at suse dot de Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment:
also imagine the following code setcookie ("foo", $_GET['reallybigdata']) it can also exausts the PHP process or system memory(dependding on the memory limit)for no gain because the browser will truncate it anyway. Previous Comments: ------------------------------------------------------------------------ [2007-11-16 08:23:38] judas dot iscariote at gmail dot com PHP implements the netscape spec, **not** the RFC one "When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes" "Servers should not expect clients to be able to exceed these limits" In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging harder. ------------------------------------------------------------------------ [2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs " ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... " keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. ------------------------------------------------------------------------ [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch ------------------------------------------------------------------------ [2007-11-16 01:30:40] crrodriguez at suse dot de Description: ------------ The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the "reproduce code" it says. Reproduce code: --------------- <?php ini_set("memory_limit","200M"); setcookie("hi_fox", str_repeat("A",19999999)); ?> Expected result: ---------------- PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning "Cookie cannot store more than %d bytes of data" Actual result: -------------- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=43311&edit=1