On Mon, Dec 10, 2012 at 1:28 PM, Andrey Andreev <n...@bofh.bg> wrote:
> Hello all, > On a pull request submitted via github, it was suggested to me that I > should write an RFC about the feature that I'm proposing as well as to > write about it here on the internals mail list. > However, creating new pages (including RFCs) on wiki.php.net doesn't seem > to be allowed for non-priviled users, so I'm forced to skip that part. > > The PR in question is located at the URL below, but note that I'm no C > coder and while I did test it, I'm in no way confident that it should be > implemented as is. The changes just seemed simple enough to do, so I went > with it. If not anything else, you should be able to understand it more > easily. > > https://github.com/php/php-**src/pull/238<https://github.com/php/php-src/pull/238> > > What I'm proposing is that setcookie(), setrawcookie() and ext/session > should send the Max-Age attribute in the Set-Cookie header, as described in > RFC2109, RFC2965, RFC6265. > > As shown in the subject, the absence of this attribute in PHP-generated > Set-Cookie headers is also listed as a bug: https://bugs.php.net/bug.php?* > *id=23955 <https://bugs.php.net/bug.php?id=23955> > > Another one also related: > https://bugs.php.net/bug.php?**id=43439<https://bugs.php.net/bug.php?id=43439> > > In summary - it specifies the cookie lifetime in seconds, starting from > the current time. This means that it's a better solution than the Expires > attribute, as the user agent doesn't need to worry about timezones and > basically - it doesn't matter if its time settings are correct. > > It should also be noted that 0 (zero) or any negative value means that the > cookie should be immediately dropped. > > Erroneous time settings is a problem for many users and for the developers > of web applications that they report this supposedly as a bug and since > I've personally faced such reports, I can tell - it's really hard to debug > and/or figure out the problem at first. Considering this, I can imagine > that this feature would solve a lot of problems. > > The listed RFCs specify that both Expires and Max-Age are optional > attributes, but due to the latter being relatively new - it might not be > supported by all browsers. Those that don't will ignore it, BUT those that > do - will give it a higher precedence. > To me, that makes it perfectly safe to send both Expires and Max-Age, > whenever the cookie lifetime has to be specified. > > I've taken the chance to also switch the rest of the currently sent > attributes from all-lowercase to the so called StudlyCaps presentation > (e.g. expires -> Expires). Browsers should all match them in a > case-insensitive manner, but all of the RFCs list them as proposed. In > other words - this is irrelevant, why not do it for the sake of consistency? > > Btw, since the patch is against 'master', while compiling it appeared that > it's PHP 5.5 code in that branch. That's not intentional on my part - if it > was up to me, I'd include it in the very next release. :) > > Cheers, > Andrey. > > Thx Andrey for this, As I noted in a bug comment https://bugs.php.net/bug.php?id=23955 , this feature must be added to PHP for User Agent having a wrong local time to compute cookie expiration in a safe way. The fact that adding the header should just not change the behavior of UA's not knowing it is a huge +1. I dont like the idea of adding one more parameter to setcookie() and friends to let the programmer control the generated headers (talked about in the github issue comments) Julien.Pauli > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > >
