Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96458
Return-Path: <yohgaki@ohgaki.net>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 89542 invoked from network); 19 Oct 2016 01:01:21 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 19 Oct 2016 01:01:21 -0000
Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender)
X-PHP-List-Original-Sender: yohgaki@ohgaki.net
X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp  
Received: from [180.42.98.130] ([180.42.98.130:42453] helo=es-i.jp)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 34/12-12428-FD5C6085 for <internals@lists.php.net>; Tue, 18 Oct 2016 21:01:20 -0400
Received: (qmail 83768 invoked by uid 89); 19 Oct 2016 01:01:16 -0000
Received: from unknown (HELO mail-qk0-f171.google.com) (yohgaki@ohgaki.net@209.85.220.171)
  by 0 with ESMTPA; 19 Oct 2016 01:01:16 -0000
Received: by mail-qk0-f171.google.com with SMTP id f128so13754526qkb.1
        for <internals@lists.php.net>; Tue, 18 Oct 2016 18:01:15 -0700 (PDT)
X-Gm-Message-State: AA6/9RnAZn8SohPoTcfMb5YeG+duZi7lBqPZLy/tQeasi0Saz07D/4rPebov5XUYHurezsRvt9lWQL0p34v4HQ==
X-Received: by 10.55.121.131 with SMTP id u125mr4018292qkc.114.1476838869838;
 Tue, 18 Oct 2016 18:01:09 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.140.22.38 with HTTP; Tue, 18 Oct 2016 18:00:29 -0700 (PDT)
In-Reply-To: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
References: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
Date: Wed, 19 Oct 2016 10:00:29 +0900
X-Gmail-Original-Message-ID: <CAGa2bXYShMMU964gtq4VZfkBssJftJX-k2j+hRh6_YAyxm9mUw@mail.gmail.com>
Message-ID: <CAGa2bXYShMMU964gtq4VZfkBssJftJX-k2j+hRh6_YAyxm9mUw@mail.gmail.com>
To: "internals@lists.php.net" <internals@lists.php.net>, Davey Shafik <davey@php.net>
Cc: Xinchen Hui <laruence@php.net>
Content-Type: text/plain; charset=UTF-8
Subject: Re: header() removes all header of the same name.
From: yohgaki@ohgaki.net (Yasuo Ohgaki)

Hi all,

On Tue, Oct 18, 2016 at 4:31 PM, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
> I understand why header() is made to remove all headers of the same
> name. This is needed in some cases, but it does not work well for some
> cases.
>
> We need to decide what to do with
> https://bugs.php.net/bug.php?id=72997
>
> There is 2 issues.
>   - header() removes all headers of the same name including 'Set-Cookie'
>   - header() ignores replace flag. (This one is easy to fix)
>
> Since header() enables 'replace flag' by default, it removes all
> 'Set-Cookie' headers sent previously by default. It can easily disturb
> security related cookies to work. i.e. Session ID cookie, Auto Login
> cookie. This bug would be very hard to find for normal users, too.
>
> Restoring older behavior (Removing only one header) cannot be a
> resolution because it can still disturb security related cookies.
>
> Possible resolutions:
>
>  - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
>  - Mitigate by disabling replace flag by default. (This is not a good idea, IMO)
>
> Both resolution requires BC, but this is better to be fixed ASAP.
>
> Non-BC resolution could be:
>   - "Ask users to use setcookie() always for 'Set-Cookie'".
>
> I would like to prohibit 'Set-Cookie' by header() because it may
> remove session ID cookie as well as auto login cookie, etc. If we
> leave released version as it is now, I would like to prohibit
> 'Set-Cookie' by header() in PHP 7.1.
>
> Problem with this may be that user cannot modify 'Set-Cookie' header
> line as user want.
>
> $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
> 05:38:43 GMT; path=/; domain=aaa");'
> PHP Warning:  Cookie names cannot contain any of the following '=,;
> \t\r\n\013\014' in Command line code on line 1
>
>
> Comments?

An idea for session ID protection.

Following code results in lost session always.

<?php
session_start();
session_regenerate_id();
header('Set-Cookie: something');
?>

header() function removes all header of the same name, e.g.
Set-Cookie, Expires, etc, by sapi_remove_header(). This could be very
hard to find the cause.


This risk can be removed w/o much BC. Only BC is when user is
intentionally trying to delete session ID cookie manually. This would
be very rare. We can add code that excludes session ID cookie in
sapi_remove_header().
http://lxr.php.net/xref/PHP-MASTER/main/SAPI.c#593

To do that, we can search string like following
Set-Cookie: PHPSESSID=xxxxxxx

The only issue is we need session global, i.e. PS(session_name), at
least. It's not nice to have dependency from SAPI.c to session, but it
protects session ID from removed by users by mistake.

Any comments?

Regards,

--
Yasuo Ohgaki
yohgaki@ohgaki.net