PHP :: Bug #18337 :: General cookies have higher priority than specific

Bug #18337

General cookies have higher priority than specific

Submitted:

2002-07-14 09:09 UTC

Modified:

2002-11-06 10:40 UTC

Votes:	5
Avg. Score:	4.0 ± 0.9
Reproduced:	3 of 4 (75.0%)
Same Version:	1 (33.3%)
Same OS:	0 (0.0%)

From:

shaggy at vip dot bg

Assigned:

Status:

Not a bug

Package:

HTTP related

PHP Version:

4.2

OS:

All

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	shaggy at vip dot bg
New email:
PHP Version:		OS:

New Comment:

[2002-07-14 09:09 UTC] shaggy at vip dot bg

I use PHP compiled from sources,

./configure --with-pgsql --with-mysql --with-zlib --with-apache=dir

Consider the following code has been executed, and another page loaded

setcookie('test', 'value1', time()+3600, '/foo/bar/');
setcookie('test', 'value2', time()+3600, '/');
setcookie('test', 'value3', time()+3600, '/foo/');

When a browser requests a file under the /foo/bar/ directory it sends the cookies
with the most specific one first:
test="value1"; $Path="/foo/bar";
test="value3"; $Path="/foo/";
test="value2"; $Path="/";

Then PHP processes these and it overrides the first two cookies with the most general one which is incorrect.

The correct behaviour is to leave the value of the cookie set to the most specific one.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-07-14 09:28 UTC] derick@php.net

Working on it...

Derick

[2002-07-14 11:26 UTC] derick@php.net

Partly fix can be found here:
http://files.derickrethans.nl/cookie_patch.diff

As I have no more time to finish it I just share it here, it works, but not for registered globals.

Derick

[2002-08-06 14:05 UTC] blackdragon3001 at hotmail dot com

I have win XP and PHP 4.2.2!
I have the same problem!

I have see this :http://files.derickrethans.nl/cookie_patch.diff
but can I use this and how?

[2002-08-08 06:54 UTC] jait at ee dot oulu dot fi

Correct me if I'm wrong but according to

http://wp.netscape.com/newsref/std/cookie_spec.html

it seems that there can be multiple cookie definitions with the same name. And as long as the path is different NONE of them should get overrided.

And if BOTH name and path equal the most recent cookie should be the only one that's valid.

So don't you think the correct behaviour is to pass ALL the cookies to the script as long as the path is different?

But this is kinda difficult with the way the $_COOKIE array is currently implemented.

jt

[2002-08-08 19:10 UTC] shaggy at vip dot bg

You're quiete right, the problem is I don't know how one can store this information in the _COOKIE array without breaking old apps.

The Netscape docs actually are superceded by an RFC, anyway it says that if there's more than one cookie the most specific should be taken into account - if the app can't deal with them all.

[2002-08-09 16:25 UTC] dsguy04 at hotmail dot com

how do i fix it using http://files.derickrethans.nl/cookie_patch.diff ??????
what do i do with that stuff?????? im having this prob too

[2002-08-09 19:39 UTC] shaggy at vip dot bg

Depends on your OS:
On Unices say man patch to get the idea.

If you're on Windows search for Deloire/Cygnus and diffutils, unpack and patch.exe is in the bin directory.
Note: This is not a support forum or something.

[2002-11-06 10:40 UTC] iliaa@php.net

Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

This is more of a browser issue then anything else. I did a tcpdump of what is happening with your test code. All 3 cookie headers are sent by PHP, it is then up to the browser to determine which cookie to keep and send back.
For example Mozilla 1.0, Opera 6.02 and IE 6.0 have sent back the following header 'Cookie: test=value2', while Konqueror sent back Cookie: test=value3; test=value1.

It seems to me, that it is the browser's job to decide which cookie to keep and which to throw away.

 sent the last cookie only (value 3), Konqueror 3.0 sent 'Cookie: test=value3; test=value1'.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Wed Nov 05 00:00:02 2025 UTC