Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:64229 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87456 invoked from network); 10 Dec 2012 14:01:52 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 10 Dec 2012 14:01:52 -0000 Authentication-Results: pb1.pair.com header.from=julienpauli@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=julienpauli@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.210.169 as permitted sender) X-PHP-List-Original-Sender: julienpauli@gmail.com X-Host-Fingerprint: 209.85.210.169 mail-ia0-f169.google.com Received: from [209.85.210.169] ([209.85.210.169:53904] helo=mail-ia0-f169.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id EE/35-60401-F4BE5C05 for ; Mon, 10 Dec 2012 09:01:51 -0500 Received: by mail-ia0-f169.google.com with SMTP id r4so4881670iaj.0 for ; Mon, 10 Dec 2012 06:01:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type; bh=jKm+wqlXyUN6clV3BWybedE+/PYvl9g9/zKjZB4bkhA=; b=jVmNc8/ZPlDEP4C2m92c5d7UBI9mFUZdbgDHJhWL+JrRwYNjD74ZYxGkIQqYJ3Zip/ qDNPbK7cvftZ/7VJQGLu/pJSt8rK453SRVHPGba5HeU5+pooS+bArfJvqPgSHxewYiSW x7LjL8jP3bxJ2kDICNoj0EonxNzwQYM0AuEKJRTpt9wlDm+C8r5lPq66SsqqQ36m41cu vDE6GN9Pn10aYq25LWVXeCH4mY3IYSXN1KfQH4vbd6gffk4P95kzV4kvhv7shc7hFmVI LK1zTM0myKXyAtggGvCQt5qGvlw2KGN0zrFI0kIoUv6isoUCDlLUp+wJZwweL0DQ7+4h ap9Q== Received: by 10.50.216.201 with SMTP id os9mr6652847igc.5.1355148107739; Mon, 10 Dec 2012 06:01:47 -0800 (PST) MIME-Version: 1.0 Sender: julienpauli@gmail.com Received: by 10.64.140.106 with HTTP; Mon, 10 Dec 2012 06:01:07 -0800 (PST) In-Reply-To: <20121210142818.9erzxulg08cwwck8@mail.orbitel.bg> References: <20121210142818.9erzxulg08cwwck8@mail.orbitel.bg> Date: Mon, 10 Dec 2012 15:01:07 +0100 X-Google-Sender-Auth: HFMIibIDKSBkjQ5Dt_Zwc8diB8o Message-ID: To: Andrey Andreev Cc: internals@lists.php.net Content-Type: multipart/alternative; boundary=14dae934123594711a04d08001e1 Subject: Re: [PHP-DEV] Bug #23955: Cookie Max-Age attribute From: jpauli@php.net (jpauli) --14dae934123594711a04d08001e1 Content-Type: text/plain; charset=ISO-8859-1 On Mon, Dec 10, 2012 at 1:28 PM, Andrey Andreev wrote: > Hello all, > On a pull request submitted via github, it was suggested to me that I > should write an RFC about the feature that I'm proposing as well as to > write about it here on the internals mail list. > However, creating new pages (including RFCs) on wiki.php.net doesn't seem > to be allowed for non-priviled users, so I'm forced to skip that part. > > The PR in question is located at the URL below, but note that I'm no C > coder and while I did test it, I'm in no way confident that it should be > implemented as is. The changes just seemed simple enough to do, so I went > with it. If not anything else, you should be able to understand it more > easily. > > https://github.com/php/php-**src/pull/238 > > What I'm proposing is that setcookie(), setrawcookie() and ext/session > should send the Max-Age attribute in the Set-Cookie header, as described in > RFC2109, RFC2965, RFC6265. > > As shown in the subject, the absence of this attribute in PHP-generated > Set-Cookie headers is also listed as a bug: https://bugs.php.net/bug.php?* > *id=23955 > > Another one also related: https://bugs.php.net/bug.php?**id=43439 > > In summary - it specifies the cookie lifetime in seconds, starting from > the current time. This means that it's a better solution than the Expires > attribute, as the user agent doesn't need to worry about timezones and > basically - it doesn't matter if its time settings are correct. > > It should also be noted that 0 (zero) or any negative value means that the > cookie should be immediately dropped. > > Erroneous time settings is a problem for many users and for the developers > of web applications that they report this supposedly as a bug and since > I've personally faced such reports, I can tell - it's really hard to debug > and/or figure out the problem at first. Considering this, I can imagine > that this feature would solve a lot of problems. > > The listed RFCs specify that both Expires and Max-Age are optional > attributes, but due to the latter being relatively new - it might not be > supported by all browsers. Those that don't will ignore it, BUT those that > do - will give it a higher precedence. > To me, that makes it perfectly safe to send both Expires and Max-Age, > whenever the cookie lifetime has to be specified. > > I've taken the chance to also switch the rest of the currently sent > attributes from all-lowercase to the so called StudlyCaps presentation > (e.g. expires -> Expires). Browsers should all match them in a > case-insensitive manner, but all of the RFCs list them as proposed. In > other words - this is irrelevant, why not do it for the sake of consistency? > > Btw, since the patch is against 'master', while compiling it appeared that > it's PHP 5.5 code in that branch. That's not intentional on my part - if it > was up to me, I'd include it in the very next release. :) > > Cheers, > Andrey. > > Thx Andrey for this, As I noted in a bug comment https://bugs.php.net/bug.php?id=23955 , this feature must be added to PHP for User Agent having a wrong local time to compute cookie expiration in a safe way. The fact that adding the header should just not change the behavior of UA's not knowing it is a huge +1. I dont like the idea of adding one more parameter to setcookie() and friends to let the programmer control the generated headers (talked about in the github issue comments) Julien.Pauli > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > --14dae934123594711a04d08001e1--