(Apologies for the dupe, re-sending for the list.) If the replace flag was fixed, isn’t this then just a case of making sure userland sets replace to false if they want existing set-cookie headers retained?
Removing the ability to write a custom Set-Cookie header introduces a bigger problem than the current one, IMO. > On 18 Oct 2016, at 14:31, Yasuo Ohgaki <yohg...@ohgaki.net> wrote: > > Hi all, > > I understand why header() is made to remove all headers of the same > name. This is needed in some cases, but it does not work well for some > cases. > > We need to decide what to do with > https://bugs.php.net/bug.php?id=72997 > > There is 2 issues. > - header() removes all headers of the same name including 'Set-Cookie' > - header() ignores replace flag. (This one is easy to fix) > > Since header() enables 'replace flag' by default, it removes all > 'Set-Cookie' headers sent previously by default. It can easily disturb > security related cookies to work. i.e. Session ID cookie, Auto Login > cookie. This bug would be very hard to find for normal users, too. > > Restoring older behavior (Removing only one header) cannot be a > resolution because it can still disturb security related cookies. > > Possible resolutions: > > - Prohibit 'Set-Cookie' for header() and force users to use setcookie() > - Mitigate by disabling replace flag by default. (This is not a good idea, > IMO) > > Both resolution requires BC, but this is better to be fixed ASAP. > > Non-BC resolution could be: > - "Ask users to use setcookie() always for 'Set-Cookie'". > > I would like to prohibit 'Set-Cookie' by header() because it may > remove session ID cookie as well as auto login cookie, etc. If we > leave released version as it is now, I would like to prohibit > 'Set-Cookie' by header() in PHP 7.1. > > Problem with this may be that user cannot modify 'Set-Cookie' header > line as user want. > > $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020 > 05:38:43 GMT; path=/; domain=aaa");' > PHP Warning: Cookie names cannot contain any of the following '=,; > \t\r\n\013\014' in Command line code on line 1 > > > Comments? > > Regards, > > -- > Yasuo Ohgaki > yohg...@ohgaki.net > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
