php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #69523 setcookie() uses second parameter as name (first param)
Submitted: 2015-04-24 10:55 UTC Modified: 2015-05-12 08:50 UTC
From: florian dot schmidt dot welzow at t-online dot de Assigned: jpauli (profile)
Status: Closed Package: *Web Server problem
PHP Version: Irrelevant OS: Ubuntu 14.04.2
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: florian dot schmidt dot welzow at t-online dot de
New email:
PHP Version: OS:

 

 [2015-04-24 10:55 UTC] florian dot schmidt dot welzow at t-online dot de 
Description:
------------
If you use the script provided in "Test script" section, you''ll set a new cookie with the name "value" and an empty value. That seems to be a false behavior, the name of the cookie is required[1] and php should throw a fatal error, if an empty name is provided.

[1] http://php.net/manual/de/function.setcookie.php

Test script:
---------------
setcookie('', 'value', time()+10);
var_dump($_COOKIE);

Expected result:
----------------
Warning/Fatal error

Actual result:
--------------
A new cookie set with "value" as "name"

Patches

not_tested_check_for_name_argument (last revision 2015-04-24 11:11 UTC by florian dot schmidt dot welzow at t-online dot de)

Pull Requests

Pull requests:

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-24 14:49 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: Output Control +Package: *Web Server problem -Assigned To: +Assigned To: cmb
 [2015-04-24 14:49 UTC] cmb@php.net 
Consider the following statement:

  setcookie('', 'value');
  
This constructs the following header field:

  Set-Cookie: =value
  
This header field conforms to RFC 6265, section 4.1.1[1], because
cookie-name may be empty. So PHP allows what is permitted according
to the relevant RFC.

What's happening on the client side is not a PHP issue. The
behavior your are describing (name and value are swapped) happens
on Chrome 42.0.2311.90 m, but not on Firefox 37.0.2, for instance.

[1] <http://tools.ietf.org/html/rfc6265#section-4.1.1>
 [2015-04-28 23:50 UTC] a at b dot c dot de 
That RFC gives the productions

 set-cookie-header = "Set-Cookie:" SP set-cookie-string
 set-cookie-string = cookie-pair *( ";" SP cookie-av )
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 token             = <token, defined in [RFC2616], Section 2.2>

Where the latter reference defines "token" as
       token          = 1*<any CHAR except CTLs or separators>

CTL being ASCII control characters and "separators" being a list of punctuation marks.

So a cookie-name has to be a token, which is by definition _at least_ one character long.
 [2015-04-29 00:00 UTC] requinix@php.net 
Given that a name-less Set-Cookie header can cause problems (at the very least unexpected, probably browser-dependent behavior), a warning and no header seems like a good idea. Would be an easy patch too.
 [2015-04-29 00:39 UTC] cmb@php.net
-Status: Not a bug +Status: Open
 [2015-04-29 00:39 UTC] cmb@php.net 
> cookie-name       = token
> token          = 1*<any CHAR except CTLs or separators>

Obviously, you're right and I was mistaken.

> [...] a warning and no header seems like a good idea.

A notice might suffice, and it may be considered to check the
cookie name against the specified grammar (not only hinting at
empty names).
 [2015-05-01 22:24 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed -Assigned To: cmb +Assigned To:
 [2015-05-12 08:50 UTC] jpauli@php.net
-Status: Analyzed +Status: Feedback
 [2015-05-12 08:50 UTC] jpauli@php.net 
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I merged the PR with a WARNING error, we still can change it to a NOTICE in the future, if someone objects.
 [2015-05-12 08:50 UTC] jpauli@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: jpauli
 [2015-05-12 08:50 UTC] jpauli@php.net 
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Oct 27 15:00:01 2025 UTC