Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96412
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 75889 invoked from network); 18 Oct 2016 07:32:35 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 18 Oct 2016 07:32:35 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:40012] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D1/05-40890-F00D5085 for <internals@lists.php.net>; Tue, 18 Oct 2016 03:32:34 -0400
Received: (qmail 46651 invoked by uid 89); 18 Oct 2016 07:32:28 -0000
Received: from unknown (HELO mail-qt0-f172.google.com) (yohgaki@ohgaki.net@209.85.216.172)
  by 0 with ESMTPA; 18 Oct 2016 07:32:28 -0000
Received: by mail-qt0-f172.google.com with SMTP id s49so141589673qta.0
        for <internals@lists.php.net>; Tue, 18 Oct 2016 00:32:28 -0700 (PDT)
X-Gm-Message-State: AA6/9Rmo6L11WlSefMUo70qek02p9Z1y+gEFMxk0N0BrWODnlBTj985lMfmuPnHwessEzAwT9+IS51lJuXQXnA==
X-Received: by 10.237.56.34 with SMTP id j31mr1105247qte.16.1476775942309;
 Tue, 18 Oct 2016 00:32:22 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.84.168 with HTTP; Tue, 18 Oct 2016 00:31:41 -0700 (PDT)
Date: Tue, 18 Oct 2016 16:31:41 +0900
X-Gmail-Original-Message-ID: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
Message-ID: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>, Davey Shafik <davey@php.net>
Cc: Xinchen Hui <laruence@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: header() removes all header of the same name.
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

I understand why header() is made to remove all headers of the same
name. This is needed in some cases, but it does not work well for some
cases.

We need to decide what to do with
https://bugs.php.net/bug.php?id=72997

There is 2 issues.
  - header() removes all headers of the same name including 'Set-Cookie'
  - header() ignores replace flag. (This one is easy to fix)

Since header() enables 'replace flag' by default, it removes all
'Set-Cookie' headers sent previously by default. It can easily disturb
security related cookies to work. i.e. Session ID cookie, Auto Login
cookie. This bug would be very hard to find for normal users, too.

Restoring older behavior (Removing only one header) cannot be a
resolution because it can still disturb security related cookies.

Possible resolutions:

 - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
 - Mitigate by disabling replace flag by default. (This is not a good idea, IMO)

Both resolution requires BC, but this is better to be fixed ASAP.

Non-BC resolution could be:
  - "Ask users to use setcookie() always for 'Set-Cookie'".

I would like to prohibit 'Set-Cookie' by header() because it may
remove session ID cookie as well as auto login cookie, etc. If we
leave released version as it is now, I would like to prohibit
'Set-Cookie' by header() in PHP 7.1.

Problem with this may be that user cannot modify 'Set-Cookie' header
line as user want.

$ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
05:38:43 GMT; path=/; domain=aaa");'
PHP Warning:  Cookie names cannot contain any of the following '=,;
\t\r\n\013\014' in Command line code on line 1


Comments?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net