Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96501 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 23403 invoked from network); 20 Oct 2016 06:59:05 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Oct 2016 06:59:05 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:45677] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id B0/B0-14749-63B68085 for ; Thu, 20 Oct 2016 02:59:05 -0400 Received: (qmail 104258 invoked by uid 89); 20 Oct 2016 06:58:59 -0000 Received: from unknown (HELO mail-qt0-f178.google.com) (yohgaki@ohgaki.net@209.85.216.178) by 0 with ESMTPA; 20 Oct 2016 06:58:59 -0000 Received: by mail-qt0-f178.google.com with SMTP id s49so41874733qta.0 for ; Wed, 19 Oct 2016 23:58:59 -0700 (PDT) X-Gm-Message-State: AA6/9RldzfQTd1pRJ3X8xM2QxvWAeDqWF59D2I2bTFNrT1souOexsMNdrztFYFH5ieQn8yv8nUg2Bkc9F7TCKw== X-Received: by 10.237.37.197 with SMTP id y5mr10225991qtc.8.1476946733313; Wed, 19 Oct 2016 23:58:53 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.22.38 with HTTP; Wed, 19 Oct 2016 23:58:12 -0700 (PDT) In-Reply-To: <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com> References: <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com> Date: Thu, 20 Oct 2016 15:58:12 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Stanislav Malyshev Cc: "internals@lists.php.net" , Davey Shafik , Xinchen Hui Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] header() removes all header of the same name. From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Stas, I posted an an idea for preventing accidental cookie deletion. 'Set-Cookie' is a HTTP header, but provide dedicated functions for it. I pasted it with a little modification. What do you think? Bottom line is I would like to prevent lost session ID by header() in the future. Implement cookie_*() functions in 7.x, then prohibit 'Set-Cookie' for header() in 8.x On Thu, Oct 20, 2016 at 1:39 PM, Stanislav Malyshev wrote: >> There is 2 issues. >> - header() removes all headers of the same name including 'Set-Cookie' >> - header() ignores replace flag. (This one is easy to fix) > > We have the flag, so if it doesn't work it should be fixed. Also, one > should use setcookie() for cookies, usually. Another idea for session ID cookie and Set-Cookie header protection. Since we have setcookie() function, how about to have cookie dedicated functions for cookie header manipulation. I'm about to create new feature request as follows: --------------------- Protect session ID and other cookies from header(), header_remove() --------------------- header() removes any previously defined headers. header('Set-Cookie: something') / header_remove() deletes session ID and other Set-Cookie headers. Cookies should be protected from header()/header_remove(). Instead, create new cookie functions cookie_set() - Set cookie header (setcookie() alias) cookie_set_raw() - Set cookie header (setrawcookie alias) cookie_custom() - Set cookie with custom style. (The same as header(sprintf('Set-Cookie: %s', $something)); cookie_list() - Mostly the same as headers_list() cookie_remove([string $name]) - Mostly the same as header_remove() Remove cookie header. $name parameter is cookie name to be deleted. Protect Set-Cookie headers from header() and header_remove() ---------------------- This implementation is cleaner because core to session dependency is not required. It is also good to have naming standard confirming cookie function names. i.e. Cookie functions should be named cookie_*() according to CODING_STANDARDS. -- Yasuo Ohgaki yohgaki@ohgaki.net