PHP :: Bug #76688 :: Cookie $options should not allow further arguments

Bug #76688	Cookie $options should not allow further arguments
Submitted:	2018-07-31 21:17 UTC	Modified:	2018-08-07 21:39 UTC
From:	cmb@php.net	Assigned:	pmmaga (profile)
Status:	Closed	Package:	Network related
PHP Version:	7.3Git-2018-07-31 (Git)	OS:	*
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	cmb@php.net
New email:
PHP Version:		OS:

New Comment:

[2018-07-31 21:17 UTC] cmb@php.net

Description:
------------
The support for SameSite cookie directives[1] introduced $option
parameters for setcookie(), setrawcookie() and
session_set_cookie_params(), but these appear to allow further
arguments to be passed, which does not appear to conform to the
respective RFC[2], and is generally confusing.

[1] <https://github.com/php/php-src/pull/3398>
[2] <https://wiki.php.net/rfc/same-site-cookie#proposal>


Test script:
---------------
<?php
session_set_cookie_params(array('path'=>'/foo/'), 'bar', 'www.example.com');
var_dump(session_get_cookie_params());

Expected result:
----------------
A warning regarding excess arguments, which should be ignored for
further processing.

Actual result:
--------------
array(6) {
  ["lifetime"]=>
  int(0)
  ["path"]=>
  string(5) "/foo/"
  ["domain"]=>
  string(15) "www.example.com"
  ["secure"]=>
  bool(false)
  ["httponly"]=>
  bool(false)
  ["samesite"]=>
  string(0) ""
}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2018-07-31 21:29 UTC] phpdev at ehrhardt dot nl

Related to the same RFC implementation: php_setcookie requires a 9th argument now. This line:

https://github.com/pmjones/ext-request/blob/master/serverresponse.c#L1034

leads to

serverresponse.c(1034): error C2198: 'php_setcookie': too few arguments for call

It only compiles on Windows if you add an extra argument NULL.

[2018-07-31 21:33 UTC] phpdev at ehrhardt dot nl

The referenced line is

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly);

And has to be changed to

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly, NULL);

to make it compile.

[2018-07-31 22:16 UTC] requinix@php.net

@phpdev: That's right, this does come with an API change, and as with any new series existing extensions may not be source-compatible.
But just because it compiles does not mean it's correct. Simply adding NULL is wrong. You should wait until the author updates for PHP 7.3.

[2018-07-31 23:07 UTC] pmmaga@php.net

-Assigned To: +Assigned To: pmmaga

[2018-08-07 21:39 UTC] cmb@php.net

For reference: <https://github.com/php/php-src/pull/3424>.

[2018-08-12 13:50 UTC] cmb@php.net

Automatic comment on behalf of mail@pmmaga.net
Revision: http://git.php.net/?p=php-src.git;a=commit;h=a16aee6cee77571e3af604117bdc48b75d8a3315
Log: Fix #76688: Disallow excessive parameters after options array

[2018-08-12 13:50 UTC] cmb@php.net

-Status: Assigned +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Oct 25 15:00:01 2025 UTC