From: gustav at cst dot co dot za Operating system: Windows Server 2003 PHP version: 4.4.0 PHP Bug Type: *General Issues Bug description: Bugfix #32827 is incorrect
Description: ------------ This bug was classified "Won't fix" before, because according to [EMAIL PROTECTED], it would not be backwards compatible with the netscape cookie specification. See <a href="http://bugs.php.net/bug.php?id=32827";>#32827</a> for details. However, [EMAIL PROTECTED]'s interpretation of the netscape cookie standard is incompatible with the HTTP protocol specification and the "HTTP State Management Mechanism" specification. "Backwards compatability" in this case breaks more than it fixes. See <a href="http://bugs.php.net/bug.php?id=32966";>#32966</a> and <a href="http://bugs.php.net/bug.php?id=32111";>#32111</a> for details. The problem I encountered is the same as #32966. I get two "Cookie:" headers which are then combined into one by seperating them with a comma. This breaks the session id. Now my motivation for why cookies *must* be allowed to be comma seperated: In both the HTTP/1.0 and HTTP/1.1 protocol specifications (RFCs 1945 and 2068) it is stated in section 4.2 (Message Headers) that: Multiple HTTP-header fields with the same field-name may be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It must be possible to combine the multiple header fields into one "field- name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. Also, in the "HTTP State Management Mechanism" specification (RFC 2965) section 3.3.4 (Sending Cookies to the Origin Server) defines the syntax of the cookie header as: cookie = "Cookie:" cookie-version 1*((";" | ",") cookie-value) Thereby showing that plain commas imply a seperate cookie. Reproduce code: --------------- Using a raw telnet session to IIS running PHP: GET / HTTP/1.0 Host: myhost.somewhere.com Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45 Cookie: $Version="1"; id="8"; Expected result: ---------------- No error. Actual result: -------------- session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 -- Edit bug report at http://bugs.php.net/?id=34734&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=34734&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=34734&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=34734&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=34734&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=34734&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=34734&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=34734&r=needscript Try newer version: http://bugs.php.net/fix.php?id=34734&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=34734&r=support Expected behavior: http://bugs.php.net/fix.php?id=34734&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=34734&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=34734&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=34734&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=34734&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=34734&r=dst IIS Stability: http://bugs.php.net/fix.php?id=34734&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=34734&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=34734&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=34734&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=34734&r=mysqlcfg
