#32802 [NEW]: General cookie overrides more specific cookie, RFC 2965 incompliant

Sat, 23 Apr 2005 05:19:36 -0700 

From:             ast at gmx dot ch
Operating system: ANY
PHP version:      4.3.11
PHP Bug Type:     HTTP related
Bug description:  General cookie overrides more specific cookie, RFC 2965 
incompliant

Description:
------------
[EMAIL PROTECTED], you closed the bug prematurely. It is indeed a PHP bug. Let
me explain...

>From RFC 2965, which obsoletes 2109, and is the reference for cookie /
HTTP state management mechanism:
http://www.faqs.org/rfcs/rfc2965
See 4.2  Example 2

Imagine the user agent has received, in response to earlier requests,
   the response headers

   Set-Cookie2: Part_Number="Rocket_Launcher_0001"; Version="1";
           Path="/acme"

   and

   Set-Cookie2: Part_Number="Riding_Rocket_0023"; Version="1";
           Path="/acme/ammo"

   A subsequent request by the user agent to the (same) server for URLs
   of the form /acme/ammo/...  would include the following request
   header:

   Cookie: $Version="1";
           Part_Number="Riding_Rocket_0023"; $Path="/acme/ammo";
           Part_Number="Rocket_Launcher_0001"; $Path="/acme"

   Note that the NAME=VALUE pair for the cookie with the more specific
   Path attribute, /acme/ammo, comes before the one with the less
   specific Path attribute, /acme.  Further note that the same cookie
   name appears more than once.

Also from the RFC:
If multiple cookies satisfy the criteria above, they are ordered in
the Cookie header such that those with more specific Path attributes
precede those with less specific. Ordering with respect to other
attributes (e.g., Domain) is unspecified.


My example is a little specific, but is described in
http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=29223.

I tested with ethereal, to look into the packets my browser actually sent
to the webserver. IE and FF behave the same way.
The HTTP header containing the cookies looked the same in both browsers
and conformed to the RFC2965.
The most specific matched cookies (path) are listed first, the least
specific matching cookies last, all NAME=VALUE pairs are delimited by a
semicolon.

There are a number of options to retrieve cookie data in php. $_COOKIE is
indexed by NAME, so you get only a single cookie if mutliple cookies have
the same NAME but a different path. That's not good. 
And $_COOKIE['COOKIENAME'] is the least specific cookie. I guess, php just
runs through the Cookie: header and does something like $_COOKIE[$NAME] =
$value, replacing more specific cookies with less specific cookies.

$_GLOBALS['HTTP_SERVER_VARS'] lists all cookies, according to the RFC2965
specification! That's good.
Same for $_GLOBALS['_SERVER']['HTTP_COOKIE'] = $_SERVER['HTTP_COOKIE'].
This is good!

Example showing multiple cookies with NAME = GALLERYSID (they have
different paths), I have this from print_r($_SERVER):
[HTTP_COOKIE] => GALLERYSID=6fb8f64ad5107c62b812f9c4d3cd69b0;
G2_hybrid=1%3B5%3B1%3B1%3B1%3B0%3B; xarayaclassic_textsize=Small
classictext; GALLERYSID=8603809d6b5671bbef5d4b8465d0db89;
xarayaclassic_colscheme=null

So the browsers comply with RFC 2965, but PHP doesn't.

What should be fixed:
The most specific path matched cookie should be in the $_COOKIE array, not
the least specific matched cookie! I.e. when parsing HTTP header  Cookie:
from left to right, do this:
if (!isset($_COOKIE[$name])) {
    $_COOKIE[$name] = $value;
}
instead of just 
$_COOKIE[$name] = $value;


-- 
Edit bug report at http://bugs.php.net/?id=32802&edit=1
-- 
Try a CVS snapshot (php4):   http://bugs.php.net/fix.php?id=32802&r=trysnapshot4
Try a CVS snapshot (php5.0): 
http://bugs.php.net/fix.php?id=32802&r=trysnapshot50
Try a CVS snapshot (php5.1): 
http://bugs.php.net/fix.php?id=32802&r=trysnapshot51
Fixed in CVS:                http://bugs.php.net/fix.php?id=32802&r=fixedcvs
Fixed in release:            http://bugs.php.net/fix.php?id=32802&r=alreadyfixed
Need backtrace:              http://bugs.php.net/fix.php?id=32802&r=needtrace
Need Reproduce Script:       http://bugs.php.net/fix.php?id=32802&r=needscript
Try newer version:           http://bugs.php.net/fix.php?id=32802&r=oldversion
Not developer issue:         http://bugs.php.net/fix.php?id=32802&r=support
Expected behavior:           http://bugs.php.net/fix.php?id=32802&r=notwrong
Not enough info:             
http://bugs.php.net/fix.php?id=32802&r=notenoughinfo
Submitted twice:             
http://bugs.php.net/fix.php?id=32802&r=submittedtwice
register_globals:            http://bugs.php.net/fix.php?id=32802&r=globals
PHP 3 support discontinued:  http://bugs.php.net/fix.php?id=32802&r=php3
Daylight Savings:            http://bugs.php.net/fix.php?id=32802&r=dst
IIS Stability:               http://bugs.php.net/fix.php?id=32802&r=isapi
Install GNU Sed:             http://bugs.php.net/fix.php?id=32802&r=gnused
Floating point limitations:  http://bugs.php.net/fix.php?id=32802&r=float
No Zend Extensions:          http://bugs.php.net/fix.php?id=32802&r=nozend
MySQL Configuration Error:   http://bugs.php.net/fix.php?id=32802&r=mysqlcfg

Reply via email to