php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #34734 Bugfix #32827 is incorrect
Submitted: 2005-10-04 17:38 UTC Modified: 2005-10-05 10:39 UTC
From: gustav at cst dot co dot za Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.4.0 OS: Windows Server 2003
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: gustav at cst dot co dot za
New email:
PHP Version: OS:

 

 [2005-10-04 17:38 UTC] gustav at cst dot co dot za 
Description:
------------
This bug was classified "Won't fix" before, because according to sesser@php.net, it would not be backwards compatible with the netscape cookie specification. See <a href="http://bugs.php.net/bug.php?id=32827">#32827</a> for details.

However, sesser@php.net's interpretation of the netscape cookie standard is incompatible with the HTTP protocol specification and the "HTTP State Management Mechanism" specification.

"Backwards compatability" in this case breaks more than it fixes. See <a href="http://bugs.php.net/bug.php?id=32966">#32966</a> and <a href="http://bugs.php.net/bug.php?id=32111">#32111</a> for details.

The problem I encountered is the same as #32966. I get two "Cookie:" headers which are then combined into one by seperating them with a comma. This breaks the session id.

Now my motivation for why cookies *must* be allowed to be comma seperated:

In both the HTTP/1.0 and HTTP/1.1 protocol specifications (RFCs 1945 and 2068) it is stated in section 4.2 (Message Headers) that:

   Multiple HTTP-header fields with the same field-name may be present
   in a message if and only if the entire field-value for that header
   field is defined as a comma-separated list [i.e., #(values)]. It must
   be possible to combine the multiple header fields into one "field-
   name: field-value" pair, without changing the semantics of the
   message, by appending each subsequent field-value to the first, each
   separated by a comma.

Also, in the "HTTP State Management Mechanism" specification (RFC 2965) section 3.3.4 (Sending Cookies to the Origin Server) defines the syntax of the cookie header as:

cookie  = "Cookie:" cookie-version 1*((";" | ",") cookie-value)

Thereby showing that plain commas imply a seperate cookie.


Reproduce code:
---------------
Using a raw telnet session to IIS running PHP:

GET / HTTP/1.0
Host: myhost.somewhere.com
Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45
Cookie: $Version="1"; id="8"; 


Expected result:
----------------
No error.

Actual result:
--------------
session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-10-04 18:27 UTC] sniper@php.net 
Stefan, you had a patch ready? :)
 [2005-10-04 18:29 UTC] sesser@php.net 
Version 1 Cookies are not suppoted by PHP

Therefore whatever RFC 2965 says is irrelevant

If you want version 1 cookie support, then add a feature request
 [2005-10-05 10:39 UTC] gustav at cst dot co dot za 
Even if Cookie Version 1 support is irrelevant, HTML 1.0/1.1 support is not.

If there are two cookie headers, they *must* be joinable with a comma. That's the (HTML) standard.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Wed Jul 02 07:01:33 2025 UTC