PHP :: Bug #77612 :: setcookie() sets incorrect SameSite header if all of its options filled

Bug #77612	setcookie() sets incorrect SameSite header if all of its options filled
Submitted:	2019-02-13 12:19 UTC	Modified:	2019-02-14 09:28 UTC
From:	yura3d at tut dot by	Assigned:	nikic (profile)
Status:	Closed	Package:	HTTP related
PHP Version:	7.3.2	OS:	Debian 9.7/Kernel 4.9.0
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	yura3d at tut dot by
New email:
PHP Version:		OS:

New Comment:

[2019-02-13 12:19 UTC] yura3d at tut dot by

Description:
------------
If I call setcookie(string $name, string $value, array $options) with all of options passed (expires, path, domain, secure, httponly, samesite), PHP generates incorrect Set-Cookie HTTP header: SameSite parameter is empty if I set "Lax", or "Str" if I set "Strict". But if I miss, for example, one option for setcookie (let it be "path"), everything is fine. This behavior doesn't depend on cookie value length.

Test script:
---------------
setcookie('key', 'value', [
    'expires' => time() + 31536000,
    'path' => '/',
    'domain' => 'example.com',
    'secure' => true,
    'httponly' => true,
    'samesite' => 'Lax'
]);
// Expected:
// Set-Cookie: key=value; expires=Thu, 13-Feb-2020 12:06:47 GMT; Max-Age=31536000; path=/; domain=example.com; secure; HttpOnly; SameSite=Lax
// Actual:
// Set-Cookie: key=value; expires=Thu, 13-Feb-2020 12:06:47 GMT; Max-Age=31536000; path=/; domain=example.com; secure; HttpOnly; SameSite=

Patches

bug77512.patch (last revision 2019-02-13 12:55 UTC by yohgaki at ohgaki dot net)

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-02-13 12:57 UTC] yohgaki@php.net

-Status: Open +Status: Verified

[2019-02-13 12:57 UTC] yohgaki@php.net

It seems this feature hasn't tested well.
Just need more buffer. Patch attached.

[2019-02-13 13:02 UTC] yohgaki@php.net

Why does not it use smart_str? It's more robust and common in PHP.

[2019-02-13 13:02 UTC] pmmaga@php.net

That doesn't sound right as the description of the issue mentions "This behavior doesn't depend on cookie value length." and this case is tested in https://github.com/php/php-src/blob/c53852dc0a0e553a7d879eefe489c1c327d5bed2/ext/standard/tests/network/setcookie.phpt#L37

[2019-02-13 13:35 UTC] pmmaga@php.net

Actually, you're right. Max-Age has variable length and that isn't taken into account.

[2019-02-14 09:28 UTC] nikic@php.net

-Assigned To: +Assigned To: nikic

[2019-02-14 09:44 UTC] nikic@php.net

Automatic comment on behalf of nikita.ppv@gmail.com
Revision: http://git.php.net/?p=php-src.git;a=commit;h=eb063c8a9f130f2981c590d31aa2dd548a8d523b
Log: Fixed bug #77612

[2019-02-14 09:44 UTC] nikic@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sat Feb 01 20:01:31 2025 UTC