|
|
php.net | support | documentation | report a bug | advanced search | search howto | statistics | random bug | login |
[2005-04-23 14:19 UTC] ast at gmx dot ch
Description: ------------ iliaa@php.net, you closed the bug prematurely. It is indeed a PHP bug. Let me explain... From RFC 2965, which obsoletes 2109, and is the reference for cookie / HTTP state management mechanism: http://www.faqs.org/rfcs/rfc2965 See 4.2 Example 2 Imagine the user agent has received, in response to earlier requests, the response headers Set-Cookie2: Part_Number="Rocket_Launcher_0001"; Version="1"; Path="/acme" and Set-Cookie2: Part_Number="Riding_Rocket_0023"; Version="1"; Path="/acme/ammo" A subsequent request by the user agent to the (same) server for URLs of the form /acme/ammo/... would include the following request header: Cookie: $Version="1"; Part_Number="Riding_Rocket_0023"; $Path="/acme/ammo"; Part_Number="Rocket_Launcher_0001"; $Path="/acme" Note that the NAME=VALUE pair for the cookie with the more specific Path attribute, /acme/ammo, comes before the one with the less specific Path attribute, /acme. Further note that the same cookie name appears more than once. Also from the RFC: If multiple cookies satisfy the criteria above, they are ordered in the Cookie header such that those with more specific Path attributes precede those with less specific. Ordering with respect to other attributes (e.g., Domain) is unspecified. My example is a little specific, but is described in http://gallery.menalto.com/index.php?name=PNphpBB2&file=viewtopic&t=29223. I tested with ethereal, to look into the packets my browser actually sent to the webserver. IE and FF behave the same way. The HTTP header containing the cookies looked the same in both browsers and conformed to the RFC2965. The most specific matched cookies (path) are listed first, the least specific matching cookies last, all NAME=VALUE pairs are delimited by a semicolon. There are a number of options to retrieve cookie data in php. $_COOKIE is indexed by NAME, so you get only a single cookie if mutliple cookies have the same NAME but a different path. That's not good. And $_COOKIE['COOKIENAME'] is the least specific cookie. I guess, php just runs through the Cookie: header and does something like $_COOKIE[$NAME] = $value, replacing more specific cookies with less specific cookies. $_GLOBALS['HTTP_SERVER_VARS'] lists all cookies, according to the RFC2965 specification! That's good. Same for $_GLOBALS['_SERVER']['HTTP_COOKIE'] = $_SERVER['HTTP_COOKIE']. This is good! Example showing multiple cookies with NAME = GALLERYSID (they have different paths), I have this from print_r($_SERVER): [HTTP_COOKIE] => GALLERYSID=6fb8f64ad5107c62b812f9c4d3cd69b0; G2_hybrid=1%3B5%3B1%3B1%3B1%3B0%3B; xarayaclassic_textsize=Small classictext; GALLERYSID=8603809d6b5671bbef5d4b8465d0db89; xarayaclassic_colscheme=null So the browsers comply with RFC 2965, but PHP doesn't. What should be fixed: The most specific path matched cookie should be in the $_COOKIE array, not the least specific matched cookie! I.e. when parsing HTTP header Cookie: from left to right, do this: if (!isset($_COOKIE[$name])) { $_COOKIE[$name] = $value; } instead of just $_COOKIE[$name] = $value; PatchesPull RequestsHistoryAllCommentsChangesGit/SVN commits
|
|||||||||||||||||||||||||||||||||||||
Copyright © 2001-2025 The PHP GroupAll rights reserved. |
Last updated: Fri Oct 24 08:00:01 2025 UTC |
Here is a fix for my application. /** * Fix the superglobal $_COOKIE to conform with RFC 2965 * * We don't use $_COOKIE[$cookiename], because it doesn't conform to RFC 2965 (the * cookie standard), i.e. in $_COOKIE, we don't get the cookie with the most specific path for * a given cookie name, we get the cookie with the least specific cookie path. * This function does it exactly the other way around to conform with the RFC. * * This function reevaluates the HTTP Cookie header and populates $_COOKIE with the correct * cookies. * * @static */ function fixCookieVars() { if (isset($_SERVER['HTTP_COOKIE']) && !empty($_SERVER['HTTP_COOKIE'])) { $allCookies = explode(';', $_SERVER['HTTP_COOKIE']); /* * Get rid of less specific cookies if multiple cookies with the same NAME * are present. Do this by going from left/first cookie to right/last cookie. */ /* Reset the $_COOKIE array */ $_COOKIE = array(); /* Repopulate it, but now correctly */ foreach ($allCookies as $cookie) { /* Split NAME [=VALUE], value is optional */ $cookie = explode('=', $cookie); $key = preg_replace('|\s|', '', $cookie[0]); $value = isset($cookie[1]) ? $cookie[1] : ''; if (!isset($_COOKIE[$key])) { $_COOKIE[$key] = $value; } } } } }Reproduce script: <?php setcookie("TestCookie", "Value1", time()+3600, "/test/"); setcookie("TestCookie", "Value2", time()+3600, "/"); if (!isset($_COOKIE['TestCookie'])) { header("Location: {$_SERVER['PHP_SELF']}"); exit(); } echo '<pre>'; var_dump($_COOKIE); var_dump($_SERVER['HTTP_COOKIE']); echo '</pre>'; ?>