Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96503
Return-Path: <php-lists@koalephant.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 28591 invoked from network); 20 Oct 2016 07:49:56 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 20 Oct 2016 07:49:56 -0000
Authentication-Results: pb1.pair.com smtp.mail=php-lists@koalephant.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=php-lists@koalephant.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain koalephant.com designates 206.123.115.54 as permitted sender)
X-PHP-List-Original-Sender: php-lists@koalephant.com
X-Host-Fingerprint: 206.123.115.54 mail1.25mail.st  
Received: from [206.123.115.54] ([206.123.115.54:47259] helo=mail1.25mail.st)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 85/90-24564-32778085 for <internals@lists.php.net>; Thu, 20 Oct 2016 03:49:55 -0400
Received: from [10.0.1.23] (unknown [183.89.46.225])
	by mail1.25mail.st (Postfix) with ESMTPSA id D08FC609FA;
	Thu, 20 Oct 2016 07:49:36 +0000 (UTC)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
In-Reply-To: <CAGa2bXY5u_VgJnoOq06dGj4uS2uVDwCC4qm358tJHEq+gfHVuw@mail.gmail.com>
Date: Thu, 20 Oct 2016 14:49:24 +0700
Cc: Stanislav Malyshev <smalyshev@gmail.com>,
 "internals@lists.php.net" <internals@lists.php.net>,
 Davey Shafik <davey@php.net>,
 Xinchen Hui <laruence@php.net>
Content-Transfer-Encoding: quoted-printable
Message-ID: <2E8E6A4C-C40D-4195-BF34-6FD32F90B8D8@koalephant.com>
References: <CAGa2bXb0CKP6=eZZk2atR5XGtR8JmQ3FG756wn0J7kkPGYFyZg@mail.gmail.com> <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com> <CAGa2bXY5u_VgJnoOq06dGj4uS2uVDwCC4qm358tJHEq+gfHVuw@mail.gmail.com>
To: Yasuo Ohgaki <yohgaki@ohgaki.net>
X-Mailer: Apple Mail (2.3124)
Subject: Re: [PHP-DEV] header() removes all header of the same name.
From: php-lists@koalephant.com (Stephen Reay)

Hi All,

Just to make my earlier point of view crystal clear: As a purely =
userland party and someone maintaining a PHP framework, I don=E2=80=99t =
think it=E2=80=99s acceptable to limit which headers =
header()/header_remove() can operate on, particularly when the problem =
you=E2=80=99re trying to =E2=80=98solve=E2=80=99 is simply incorrect use =
of the functions available. It *is* possible to achieve any outcome =
desired with *correct* use of the header, session and cookie functions =
(and assuming the $replace argument to header() works correctly).

I still believe the way to solve this issue is with better information =
about usage, not by removing existing functionality.

So, please do *not* consider this to be an acceptable solution.

Cheers

Stephen


> On 20 Oct 2016, at 13:58, Yasuo Ohgaki <yohgaki@ohgaki.net> wrote:
>=20
> Hi Stas,
>=20
> I posted an an idea for preventing accidental cookie deletion.
> 'Set-Cookie' is a HTTP header, but provide dedicated functions for it. =
I pasted
> it with a little modification.
> What do you think?
>=20
> Bottom line is I would like to prevent lost session ID  by header()
> in the future.
>=20
> Implement cookie_*() functions in 7.x, then prohibit 'Set-Cookie' for
> header() in 8.x
>=20
> On Thu, Oct 20, 2016 at 1:39 PM, Stanislav Malyshev =
<smalyshev@gmail.com> wrote:
>>> There is 2 issues.
>>> - header() removes all headers of the same name including =
'Set-Cookie'
>>> - header() ignores replace flag. (This one is easy to fix)
>>=20
>> We have the flag, so if it doesn't work it should be fixed. Also, one
>> should use setcookie() for cookies, usually.
>=20
>=20
> Another idea for session ID cookie and Set-Cookie header protection.
>=20
> Since we have setcookie() function, how about to have cookie
> dedicated functions for cookie header manipulation.
>=20
> I'm about to create new feature request as follows:
> ---------------------
> Protect session ID and other cookies from header(), header_remove()
> ---------------------
> header() removes any previously defined headers.
> header('Set-Cookie: something') / header_remove() deletes session ID
> and other Set-Cookie headers. Cookies should be protected from
> header()/header_remove().
>=20
> Instead, create new cookie functions
>=20
> cookie_set() - Set cookie header (setcookie() alias)
> cookie_set_raw() - Set cookie header (setrawcookie alias)
> cookie_custom() - Set cookie with custom style.
>                          (The same as header(sprintf('Set-Cookie:
> %s', $something));
> cookie_list() - Mostly the same as headers_list()
> cookie_remove([string $name]) - Mostly the same as header_remove()
> Remove cookie header. $name parameter is cookie name to be deleted.
>=20
> Protect Set-Cookie headers from header() and header_remove()
> ----------------------
>=20
> This implementation is cleaner because core to session
> dependency is not required. It is also good to have naming standard
> confirming cookie function names. i.e. Cookie functions should be
> named cookie_*() according to CODING_STANDARDS.
>=20
> --
> Yasuo Ohgaki
> yohgaki@ohgaki.net
>=20
> --=20
> PHP Internals - PHP Runtime Development Mailing List
> To unsubscribe, visit: http://www.php.net/unsub.php
>=20