Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96500
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 18188 invoked from network); 20 Oct 2016 04:39:13 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Oct 2016 04:39:13 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.192.172 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.192.172 mail-pf0-f172.google.com  
Received: from [209.85.192.172] ([209.85.192.172:34964] helo=mail-pf0-f172.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 4D/10-14749-07A48085 for <internals@lists.php.net>; Thu, 20 Oct 2016 00:39:13 -0400
Received: by mail-pf0-f172.google.com with SMTP id s8so28418111pfj.2
        for <internals@lists.php.net>; Wed, 19 Oct 2016 21:39:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=subject:to:references:cc:from:message-id:date:user-agent
         :mime-version:in-reply-to:content-transfer-encoding;
        bh=pabIuldUyjiQCXYPtNPF/MzNXq+dUsNuNBuXTKWSl0Q=;
        b=xRZvqk/FE/zJo0pC5tgm0FtlozXAnxA6dhMoyuxf09V8MmWJX6AFt0dFQtxtUBL3p9
         vmtMuiS7UGZzzrQuHcddTIO1RuUDFekai0W3Uxt5/l6X+Du0th5Mtgn7pRJsj8J+42bu
         TvpU6wq2UNbb1GbQwKeBzx2sEuCDa6dGIO+5hCXIBHvVSHd6nwJomy2WVvfDScFxPShw
         JpqdH16yXI22bzoYXdU3EyWtfMgQiwPVpstihA97OGJ5x4qmFGettqrFAToQCFo9/7dA
         qlWDAxjnXWq/KCGqLxQ7XH9AElSYkvjRjlPkW+mu8y6B4bMcx9Rf8tGpW45ElvvfjYvp
         nEHA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:subject:to:references:cc:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-transfer-encoding;
        bh=pabIuldUyjiQCXYPtNPF/MzNXq+dUsNuNBuXTKWSl0Q=;
        b=GoPY1MaKARxjlWzXr/a6/P//meyOt5gcA1V3bZcNE0hZevV7UnWkq5kITcHLmPnHPB
         IKjmQepqlhFRrTKBSP71vnYxXyxODrJJE9zT2hsrVxQTZASGgGkNI+KurTT10e+rMUjN
         /e2yGOqh7/py9m8Koo5B4Gl1cTc9YBfKKAFG7KmmKsizcrlsAQMm/s0NqBAzTGwG/EHm
         yXJgModDuTO0jo2axkwAxh7bxMkwJ05ZjACDd95Lojgsin838Sr3NKw6YDY+scVPNgxN
         i5FKUwTudKqM280nvr0PqOuM5DRC5YEL8AptdQWNsrp6QDijJHiLwIjXHwumKd5OLq8N
         KeHg==
X-Gm-Message-State: AA6/9Rn79ATOHZfEOvmJRCATiclvMMN9Af0z/HhsKwDMxBoYzwGage03T7eXC40R1RZYmQ==
X-Received: by 10.98.219.6 with SMTP id f6mr17900118pfg.72.1476938349590;
        Wed, 19 Oct 2016 21:39:09 -0700 (PDT)
Received: from Stas-Air.local (108-233-206-104.lightspeed.sntcca.sbcglobal.net. [108.233.206.104])
        by smtp.gmail.com with ESMTPSA id e90sm67325906pfd.5.2016.10.19.21.39.08
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 19 Oct 2016 21:39:09 -0700 (PDT)
To: Yasuo Ohgaki <yohgaki@ohgaki.net>,
 "internals@lists.php.net" <internals@lists.php.net>,
 Davey Shafik <davey@php.net>
References: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
Cc: Xinchen Hui <laruence@php.net>
Message-ID: <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com>
Date: Wed, 19 Oct 2016 21:39:07 -0700
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0)
 Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] header() removes all header of the same name.
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

> There is 2 issues.
>   - header() removes all headers of the same name including 'Set-Cookie'
>   - header() ignores replace flag. (This one is easy to fix)

We have the flag, so if it doesn't work it should be fixed. Also, one
should use setcookie() for cookies, usually.

> Possible resolutions:
> 
>  - Prohibit 'Set-Cookie' for header() and force users to use setcookie()
>  - Mitigate by disabling replace flag by default. (This is not a good idea, IMO)

I don't think we should do either.

> I would like to prohibit 'Set-Cookie' by header() because it may
> remove session ID cookie as well as auto login cookie, etc. If we
> leave released version as it is now, I would like to prohibit
> 'Set-Cookie' by header() in PHP 7.1.

I don't think it's a good idea. If somebody is using header(), it should
work like header() works. If you don't like how it works, use setcookie.

> Problem with this may be that user cannot modify 'Set-Cookie' header
> line as user want.
> 
> $ php -r 'setcookie("REMEMBERME=value; expires=Sat, 03-Sep-2020
> 05:38:43 GMT; path=/; domain=aaa");'
> PHP Warning:  Cookie names cannot contain any of the following '=,;
> \t\r\n\013\014' in Command line code on line 1

You are using setcookie() wrong here. See: http://php.net/setcookie

-- 
Stas Malyshev
smalyshev@gmail.com