Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96523 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 68237 invoked from network); 20 Oct 2016 12:27:46 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 20 Oct 2016 12:27:46 -0000 Authentication-Results: pb1.pair.com smtp.mail=yohgaki@ohgaki.net; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=yohgaki@ohgaki.net; sender-id=pass Received-SPF: pass (pb1.pair.com: domain ohgaki.net designates 180.42.98.130 as permitted sender) X-PHP-List-Original-Sender: yohgaki@ohgaki.net X-Host-Fingerprint: 180.42.98.130 ns1.es-i.jp Received: from [180.42.98.130] ([180.42.98.130:46463] helo=es-i.jp) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3D/58-24564-148B8085 for ; Thu, 20 Oct 2016 08:27:46 -0400 Received: (qmail 26005 invoked by uid 89); 20 Oct 2016 12:27:42 -0000 Received: from unknown (HELO mail-qk0-f172.google.com) (yohgaki@ohgaki.net@209.85.220.172) by 0 with ESMTPA; 20 Oct 2016 12:27:42 -0000 Received: by mail-qk0-f172.google.com with SMTP id o68so91015483qkf.3 for ; Thu, 20 Oct 2016 05:27:41 -0700 (PDT) X-Gm-Message-State: ABUngvfzcByg4G8tr47Q4B39UUpdmk+nnRsNluqaXa//lxZv2hOHh+YgQTLP6KMznV4nl7YpA3W7XUb6+3E2aQ== X-Received: by 10.55.121.133 with SMTP id u127mr466679qkc.233.1476966455060; Thu, 20 Oct 2016 05:27:35 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.22.38 with HTTP; Thu, 20 Oct 2016 05:26:54 -0700 (PDT) In-Reply-To: References: <1eab7492-596c-ffd2-81ed-0eb9256a033e@gmail.com> <0B722A15-A29F-498B-987F-F6BA5AA49EEF@bobs-bits.com> <59D6B40B-DC64-43A3-AED4-CD5C9C15B6BA@koalephant.com> Date: Thu, 20 Oct 2016 21:26:54 +0900 X-Gmail-Original-Message-ID: Message-ID: To: Niklas Keller Cc: Stephen Reay , Stanislav Malyshev , "internals@lists.php.net" , Davey Shafik , Xinchen Hui Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [PHP-DEV] header() removes all header of the same name. From: yohgaki@ohgaki.net (Yasuo Ohgaki) Hi Niklas, On Thu, Oct 20, 2016 at 9:21 PM, Niklas Keller wrote: > 2016-10-20 13:41 GMT+02:00 Yasuo Ohgaki : >> >> Hi Stephen, >> >> On Thu, Oct 20, 2016 at 8:24 PM, Stephen Reay >> wrote: >> > The *only* solution that retains full control for the developer, is no >> > change. Any =E2=80=9Cmagic=E2=80=9D about =E2=80=9Cuntouchable=E2=80= =9D cookie headers (e.g. forcing the >> > session cookie header after userland cookie headers) takes away option= s >> > for >> > the developer. >> >> My cookie*() functions proposal allows developers to remove header by >> cookie_remove() and can send any cookie header by cookie_custom(). >> Therefore, developers have full control if they have to. >> >> The only pain is that users may have to use cookie*() functions if we >> disallow header('Set-Cookie') which will be a vote option. If there is >> fully functional cookie*() functions, it will mitigate wrong >> header('Set-Cookie') usage regardless of the vote result, hopefully. > > > What about extensions to the `set-cookie` header? Take `SameSite` as a > recent example. The `setcookie` API doesn't cover that. Besides that, the > current `setcookie` API is awful, people just added more and more > parameters. > > Before we even discuss disallowing `header("set-cookie")`, we should have= a > sane cookie API, e.g. one that like `setcookie($name, $value, $flags)`. Sure I'll. I don't like it either. Array can be used for this. > > That's also the way we implemented it in Aerys > (https://github.com/amphp/aerys/blob/9a7327f062aa678408dfe4f4c3c7f479db16= f187/lib/Response.php#L49-L58). > It's a simple wrapper around `addHeader` to make life easier, but it does= n't > restrict developers to call `setHeader` and replace all `set-cookie` > headers. The function does it :) Regards, -- Yasuo Ohgaki yohgaki@ohgaki.net