Hi!
> There is 2 issues.
> - header() removes all headers of the same name including 'Set-Cookie'
> - header() ignores replace flag. (This one is easy to fix)
We have the flag, so if it doesn't work it should be fixed. Also, one
should use setcookie() for cookies, usually.
> Possible resolutions:
>
> - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
> - Mitigate by disabling replace flag by default. (This is not a good idea,
> IMO)
I don't think we should do either.
> I would like to prohibit 'Set-Cookie' by header() because it may
> remove session ID cookie as well as auto login cookie, etc. If we
> leave released version as it is now, I would like to prohibit
> 'Set-Cookie' by header() in PHP 7.1.
I don't think it's a good idea. If somebody is using header(), it should
work like header() works. If you don't like how it works, use setcookie.
> Problem with this may be that user cannot modify 'Set-Cookie' header
> line as user want.
>
> $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
> 05:38:43 GMT; path=/; domain=aaa");'
> PHP Warning: Cookie names cannot contain any of the following '=,;
> \t\r\n\013\014' in Command line code on line 1
You are using setcookie() wrong here. See: http://php.net/setcookie
--
Stas Malyshev
smalys...@gmail.com
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
