php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #76232 SoapClient Cookie Header Semicolon
Submitted: 2018-04-18 08:31 UTC Modified: 2018-04-19 18:55 UTC
Votes:2
Avg. Score:4.0 ± 1.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: philipp dot kern at datenkraft dot com Assigned:
Status: Closed Package: SOAP related
PHP Version: 7.0.29 OS: Ubuntu 16.04.4
Private report: No CVE-ID: None
View Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
43 - 6 = ?
Subscribe to this entry?

 
 [2018-04-18 08:31 UTC] philipp dot kern at datenkraft dot com 
Description:
------------
Hello,

we have found the following problem:

If you use the PHP SoapClient and the endpoint returns some cookies, the cookies get added to the subsequent requests, but there is an additional semicolon appended.

Example:
Cookie: testcookie1=true;testcookie2=true;

According to the RFC I've read this is not neccessary.


The problem is now that we are trying to consume a web service that unfortunately returns a "400 Bad Request" error because of this semicolon.

Test script with an other webservice is appended to see the cookie header in the request.

I have tried this with the lastest PHP versions of 7.0, 7.1 and 7.2 - same result.

Thank you!

Test script:
---------------
$client = new SoapClient("http://ec.europa.eu/taxation_customs/vies/services/checkVatService?wsdl", array('trace' => true));
$client->__setCookie('testcookie1', 'true');
$client->__setCookie('testcookie2', 'true');

try {
	$response = $client->checkVat(array("countryCode" => 'TEST', "vatNumber" => 'TEST'));
} catch (Exception $e) {
	echo "Exception caught:\n" . $e . "\n";
}

$requestLoggingData = "Request:\n" . $client->__getLastRequestHeaders() . "\n\n" . $client->__getLastRequest() . "\n\n";
$requestLoggingData .= "Response:\n" . $client->__getLastResponseHeaders() . "\n\n" . $client->__getLastResponse() . "\n\n";
$requestLoggingData .= "Cookies:\n" . print_r($client->__getCookies(), true);
echo $requestLoggingData;

Expected result:
----------------
No semicolon is prepended in the cookie header.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2018-04-19 18:36 UTC] cmb@php.net
-Status: Open +Status: Analyzed
 [2018-04-19 18:36 UTC] cmb@php.net 
> The problem is now that we are trying to consume a web service
> that unfortunately returns a "400 Bad Request" error because of
> this semicolon.

And it does rightly so, since according to RFC 6265[1] the
semicolon acts as delimiter, not as terminator.

The culprit is that the semicolon is added unconditionally
directly after each cookie-pair[2].  Doing this only if (i < n-1)
should solve the issue.

[1] <https://tools.ietf.org/html/rfc6265>
[2] <https://github.com/php/php-src/blob/PHP-7.2.5/ext/soap/php_http.c#L846>
 [2018-04-19 18:55 UTC] cmb@php.net 
> Doing this only if (i < n-1) should solve the issue.

Actually, this won't necessarily work, but you get it. :)
 [2024-06-01 15:37 UTC] git@php.net 
Automatic comment on behalf of nielsdos
Revision: https://github.com/php/php-src/commit/1b1677a8f124e4d4c810a3c5092aebdf5dfaedb7
Log: Fix bug #76232: SoapClient Cookie Header Semicolon
 [2024-06-01 15:37 UTC] git@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Tue Nov 04 04:00:01 2025 UTC