php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #16803 Using header() to set multiple cookies only sets the last cookie.
Submitted: 2002-04-24 14:09 UTC Modified: 2002-04-30 15:26 UTC
Votes:8
Avg. Score:4.9 ± 0.3
Reproduced:8 of 8 (100.0%)
Same Version:6 (75.0%)
Same OS:2 (25.0%)
From: cabel-s at panic dot com Assigned:
Status: Not a bug Package: Apache2 related
PHP Version: 4.2.0 OS: RedHat 7.2
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: cabel-s at panic dot com
New email:
PHP Version: OS:

 

 [2002-04-24 14:09 UTC] cabel-s at panic dot com 
(Also see Bug #16626)

Bug #16626 explains that when using setcookie() with PHP 4.2.0 and Apache 2.0.35, only the LAST call to setcookie() will be actually sent in the HTTP headers -- all previous calls/cookies will be ignored and not sent.

This bug expands on this by discovering that the same problem affects the header() call.

For example, try running the following test script in PHP 4.2.0 and Apache 2.0.35:

--

<?php

// Only "three=three" will get sent!

header("Set-Cookie: one=one");
header("Set-Cookie: two=two");
header("Set-Cookie: three=three");

// These will both be sent unharmed.

header("Set-Monkey: eep");
header("Set-Fish: glug");

// Location gets sent fine...

header("Location: http://www.panic.com/");

?>

--

You can verify that ONLY the last cookie ("three") is being sent by either turning on per-cookie ask in your browser, or running a packet sniffer and looking at the HTTP response. In the example above, the HTTP headers look like:

[...]
X-Powered-By: PHP/4.2.0
Set-Cookie: three=three
Set-Money: eep
Set-Fish: glug
Location: http://www.panic.com/
Content-Length: 0
[...]

Thanks for looking into this!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-24 19:17 UTC] yohgaki@php.net 
Please _search_ bug db first.
There are sevral reports for this.

I appreciate if you could search and comment bug # that is active for this bug, then change status to Duplicate.

Thank you.
 [2002-04-24 19:26 UTC] cabel-s at panic dot com 
Hello! Thanks for your note -- of course I searched first! 
:)

As I say first in my notes, bug #16626 is very similar and 
may even be the same problem -- it details problems using 
setcookie() -- but I thought filing this bug would be 
helpful because it details that the problem also exists 
with header(), not just setcookie(). Is that not helpful 
for you guys? If so, let me know, and I'll close this.

I searched for all "open" bugs with the string "header", 
and with PHP version 4.2.0 (since this relates to Apache 
2), and found nothing.

I'm sorry -- if this IS truly a duplicate bug, I am unable 
to find its friends right away, but I will keep looking! If 
I find something, I'll mark it duplicate.
 [2002-04-30 15:26 UTC] jimw@php.net 
read the documentation for header(). it replaces headers with the same name unless you tell it otherwise. (the issue with setcookie() probably could very well be a bug, but we've got #16626 to track that.)
 [2002-06-20 10:03 UTC] red at tripany dot com 
Well after extensive testing, I have to conclude it's probably not a php (alone) problem.
I have tried:
PHP ver.     Apache ver.    --enable-so    works?   error
---------------------------------------------------------
4.2.1            2.0.39             yes       no     yes
2.1              36                 yes       yes    no
2.0              39                 yes       no     yes
2.0              36                 no        no     yes
2.0              36                 yes       yes    no
4.0.3pl1         1.3.9              ?         yes    ?

(4.0.3pl1 is the standard debian package)
The rest of the 2.1 installations (with apache 39) don't work and give errors, so there's some problem with the apxs interaction between php and httpd 2.0.39. As php2.1.0 works with httpd 2.0.36 I'm now assuming there was a change in the apxs of apache in the security fix version which renders the multiple cookies unwriteable. I'll send this off to apache as well.
Cheers
Robin
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Fri May 09 04:01:27 2025 UTC