Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96416 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 87137 invoked from network); 18 Oct 2016 09:36:55 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 18 Oct 2016 09:36:55 -0000 Authentication-Results: pb1.pair.com smtp.mail=php-lists@koalephant.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=php-lists@koalephant.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain koalephant.com designates 206.123.115.54 as permitted sender) X-PHP-List-Original-Sender: php-lists@koalephant.com X-Host-Fingerprint: 206.123.115.54 mail1.25mail.st Received: from [206.123.115.54] ([206.123.115.54:59738] helo=mail1.25mail.st) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 87/E6-40890-43DE5085 for ; Tue, 18 Oct 2016 05:36:54 -0400 Received: from [10.0.1.23] (unknown [183.89.46.225]) by mail1.25mail.st (Postfix) with ESMTPSA id A115760458; Tue, 18 Oct 2016 09:36:33 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) In-Reply-To: Date: Tue, 18 Oct 2016 16:36:27 +0700 Cc: "internals@lists.php.net" , Davey Shafik , Xinchen Hui Content-Transfer-Encoding: quoted-printable Message-ID: <1C4AE75B-DD23-4FA3-B0AC-D8C04ECCD8E6@koalephant.com> References: To: Yasuo Ohgaki X-Mailer: Apple Mail (2.3124) Subject: Re: [PHP-DEV] header() removes all header of the same name. From: php-lists@koalephant.com (Stephen Reay) (Apologies for the dupe, re-sending for the list.) If the replace flag was fixed, isn=E2=80=99t this then just a case of = making sure userland sets replace to false if they want existing = set-cookie headers retained? Removing the ability to write a custom Set-Cookie header introduces a = bigger problem than the current one, IMO. > On 18 Oct 2016, at 14:31, Yasuo Ohgaki wrote: >=20 > Hi all, >=20 > I understand why header() is made to remove all headers of the same > name. This is needed in some cases, but it does not work well for some > cases. >=20 > We need to decide what to do with > https://bugs.php.net/bug.php?id=3D72997 >=20 > There is 2 issues. > - header() removes all headers of the same name including 'Set-Cookie' > - header() ignores replace flag. (This one is easy to fix) >=20 > Since header() enables 'replace flag' by default, it removes all > 'Set-Cookie' headers sent previously by default. It can easily disturb > security related cookies to work. i.e. Session ID cookie, Auto Login > cookie. This bug would be very hard to find for normal users, too. >=20 > Restoring older behavior (Removing only one header) cannot be a > resolution because it can still disturb security related cookies. >=20 > Possible resolutions: >=20 > - Prohibit 'Set-Cookie' for header() and force users to use = setcookie() > - Mitigate by disabling replace flag by default. (This is not a good = idea, IMO) >=20 > Both resolution requires BC, but this is better to be fixed ASAP. >=20 > Non-BC resolution could be: > - "Ask users to use setcookie() always for 'Set-Cookie'". >=20 > I would like to prohibit 'Set-Cookie' by header() because it may > remove session ID cookie as well as auto login cookie, etc. If we > leave released version as it is now, I would like to prohibit > 'Set-Cookie' by header() in PHP 7.1. >=20 > Problem with this may be that user cannot modify 'Set-Cookie' header > line as user want. >=20 > $ php -r 'setcookie("REMEMBERME=3Dvalue; expires=3DSat, 03-Sep-2020 > 05:38:43 GMT; path=3D/; domain=3Daaa");' > PHP Warning: Cookie names cannot contain any of the following '=3D,; > \t\r\n\013\014' in Command line code on line 1 >=20 >=20 > Comments? >=20 > Regards, >=20 > -- > Yasuo Ohgaki > yohgaki@ohgaki.net >=20 > --=20 > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php >=20