ID: 17178 Comment by: britney at list dot com dot net Reported By: public at macfreek dot nl Status: Bogus Bug Type: HTTP related Operating System: Any PHP Version: 4.1.2 New Comment:
Sorry, i don`t know answer for your big question =( Previous Comments: ------------------------------------------------------------------------ [2002-08-15 17:39:15] [EMAIL PROTECTED] Sorry, but the bug system is not the appropriate forum for asking support questions. Your problem does not imply a bug in PHP itself. For a list of more appropriate places to ask for help using PHP, please visit http://www.php.net/support.php Thank you for your interest in PHP. Despire the RFC being 5 year old, after doing tests with a number of browsers I've found that some like Konqueror outright ignore the RFC while others like Mozilla and IE support it partially. Since this is the case until at least all new browsers begin to support this PHP will not adopt the RFC. ------------------------------------------------------------------------ [2002-05-13 09:00:33] public at macfreek dot nl PHP seems to implement to original Cookie *proposal* by Netscape. However, there are two newer *Standard* specifications by the IETF. http://www.netscape.com/newsref/std/cookie_spec.html "Persistent Client State -- HTTP Cookies" http://www.ietf.org/rfc/rfc2109.txt "HTTP State Management Mechanism" http://www.ietf.org/rfc/rfc2965.txt "HTTP State Management Mechanism" Since RFC 2109 is already over 5 years old, I would recommend implementing it over the by long deprecated Netscape specification. The major change is that the Expire attribute is replaced with the Max-Age attribute, eliminating the problem of time synchronization between client and server. Of course, you can sent both attributes. I would not implement RFC 2965 yet, since it defines the Set-Cookie2 header, which is possibly not widely supported yet. Also, please read the security considerations. For example, about spoofing: Proper application design can avoid spoofing attacks from related domains. Consider: 1. User agent makes request to victim.cracker.edu, gets back cookie session_id="1234" and sets the default domain victim.cracker.edu. 2. User agent makes request to spoof.cracker.edu, gets back cookie session-id="1111", with Domain=".cracker.edu". 3. User agent makes request to victim.cracker.edu again, and passes Cookie: $Version="1"; session_id="1234", $Version="1"; session_id="1111"; $Domain=".cracker.edu" The server at victim.cracker.edu should detect that the second cookie was not one it originated by noticing that the Domain attribute is not for itself and ignore it. ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=17178&edit=1
