php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #14255 setcookie bug (Cookie is destroyed/Inaccessible)
Submitted: 2001-11-27 12:43 UTC Modified: 2010-08-25 16:05 UTC
Votes:14
Avg. Score:3.9 ± 1.4
Reproduced:11 of 12 (91.7%)
Same Version:5 (45.5%)
Same OS:5 (45.5%)
From: kris dot wilkinson at titancs dot com Assigned: shiflett (profile)
Status: Closed Package: HTTP related
PHP Version: 4.0.6 OS: Debian 2.2.19
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: kris dot wilkinson at titancs dot com
New email:
PHP Version: OS:

 

 [2001-11-27 12:43 UTC] kris dot wilkinson at titancs dot com
The problem is simple, in the older versions of php, you could set a cookie and have it available for your specified amount of time from any browser window open.

The line was as follows : 

setcookie ("myCookie","Blah","time()+7201"); 

The cookie should be set for just over 2 hours.

In 4.0.6, If you set the cookie, the time you set is never actually used, and the cookie is destroyed immediately after you close the browser window. 

Another downside, you cannot access this cookie from another window even if the original window is open. this sounds like an exclusive window session is linked to that cookie, and once the uplink is dropped, so is the cookie.

To access the cookie, i've been using :

$mycookie = $HTTP_COOKIE_VARS[myCookie];

it will show up in the original window, but not in others.

at all!

what's up?! :)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2001-11-27 12:56 UTC] hholzgra@php.net
setcookie ("myCookie","Blah","time()+7201"); 
                             ^           ^

do you realy have quotes here?

  -> "time()+7201" as a string would evaluate 
     as zero, so deleting the ccokie instead
     of setting it



 [2001-11-27 12:56 UTC] hholzgra@php.net
(switched to feedback status)
 [2001-11-27 13:00 UTC] kris dot wilkinson at titancs dot com
yes there are quotes in the line.

If you remove the quotes, the cookie doesn't initialize at all. Should we be assigning a variable there instead for example :

$mytime = time() + 7200;

setcookie ("coookiename", "cookievalue", $mytime); ?

There have been tones of posts in your setcookie function information about the cookie not working at all if you do not put the "" in there.


 [2001-11-27 13:03 UTC] kris dot wilkinson at titancs dot com
Setting a pre-defined value for the time aspect works, however ... just to let you guys know, if you put 

setcookie ($mycookie, $myvalue, time()+7200);

on my box, and several others that we use, it wont set that cookie!!

fyi :)

thanks for your help
 [2001-11-27 13:40 UTC] kris dot wilkinson at titancs dot com
ANd now .... it's not working again.

Suggestions please!
 [2001-11-27 13:43 UTC] sander@php.net
setcookie ('CookieName', 'CookieValue', time()+7200);
works. If not you're doing something wrong.
This is NOT a bug in PHP. Ask further support-questions on the appropriate mailinglist (php-general@lists.php.net).


 [2001-11-27 13:48 UTC] kris dot wilkinson at titancs dot com
Not to sound offensive, have you actually tried it?

I've pasted exactly what you just sent back to me, and it wont go.

There have been many comments in the newsgroups and the function page itself about this issue ...

people are having to put quotations around the time aspect in order to get it to work at all, and according to you, that would set the value to zero right?

-> cookie.php 

<?php

       setcookie ('CookieName', 'CookieValue', time()+7200);
       header ("Location: cookie2.php");
        
?>   

-> cookie2.php

<?php

        $cookie = $HTTP_COOKIE_VARS[CookieName];
        echo $cookie;
        
?>

that's exactly the test script i'm using. 

Is there anything wrong with the above? 


 [2001-11-27 13:59 UTC] kris dot wilkinson at titancs dot com
array(4) { ["xfxdD"]=> string(4) "Blah" ["wingrep"]=> array(4) { ["customer_cookie"]=> string(10) "1150232722" ["customer_id"]=> string(1) "1" ["customer_name"]=> string(13) "Mr. Wilkinson" ["customer_province"]=> string(2) "BC" } ["titancart"]=> array(1) { [0]=> string(72) "33a63c7718-component-1715-108.95-1-Adaptec Fireconnect 4300 3 Port-2.00*" } ["wingrepship"]=> array(7) { ["ship_to"]=> string(18) "Mr. Kris Wilkinson" ["unit_type"]=> string(5) "SUITE" ["unit_num"]=> string(3) "101" ["street"]=> string(18) "10464 176th Street" ["city"]=> string(8) "Edmonton" ["province"]=> string(2) "BC" ["postal"]=> string(7) "T5R 3L6" } } 

is what it returns. nothing containing the CustomerCookie
defined previously.

these other values are from original cookies which had the 
"" around the time aspect.

so i'm assuming this means that the value was not stored in a cookie at all?

 [2001-11-27 13:59 UTC] kris dot wilkinson at titancs dot com
array(4) { ["xfxdD"]=> string(4) "Blah" ["wingrep"]=> array(4) { ["customer_cookie"]=> string(10) "1150232722" ["customer_id"]=> string(1) "1" ["customer_name"]=> string(13) "Mr. Wilkinson" ["customer_province"]=> string(2) "BC" } ["titancart"]=> array(1) { [0]=> string(72) "33a63c7718-component-1715-108.95-1-Adaptec Fireconnect 4300 3 Port-2.00*" } ["wingrepship"]=> array(7) { ["ship_to"]=> string(18) "Mr. Kris Wilkinson" ["unit_type"]=> string(5) "SUITE" ["unit_num"]=> string(3) "101" ["street"]=> string(18) "10464 176th Street" ["city"]=> string(8) "Edmonton" ["province"]=> string(2) "BC" ["postal"]=> string(7) "T5R 3L6" } } 

is what it returns. nothing containing the CustomerCookie
defined previously.

these other values are from original cookies which had the 
"" around the time aspect.

so i'm assuming this means that the value was not stored in a cookie at all?

 [2001-11-27 14:28 UTC] sander@php.net
IIRC, no time (time=0) means that the cookie will not expire until the session (read: your browser) has been closed.

Your scripts work fine for me at both Windows 2000 and Debian Linux (Potato).
 [2001-11-28 04:39 UTC] hholzgra@php.net
ok, stupid me regarding the claim that a zero value
(or a string as parameter, evaluating to zero)
actualy deletes a cookie

it indeed defines the cookie to be a session cookie
which is valid until the browser is closed instead
of until a certain date/time is reached

for the time parameter itself:
the time() function returns the server time
while the browser deciedes when to delete
a cookie by the client time

if client and server are not in sync or live in
different time zones you will get exactly the 
problems you experienced

you either have to use expiration times in the range of days isntead of hours (as timezone differences can sum up to slightly more than 24 hours in the worst case) or you have to use javascript Date.getTime() to fetch the client time and transfer it to the server as a base for expiration dates instead of using the time() function on the server

(will add a note to the setcookie documentation and work through the notes later, bug type switched to documentation problem for now)

 [2001-12-05 06:52 UTC] sander@php.net
Timezones do NOT matter. All times are GMT.
From a HTTP-response: 
Set-Cookie: CookieName=CookieValue; expires=Mon, 28-Jan-02 00:47:45 GMT
So the only thing that should be noted is that the time on client and server should be in sync for correct behaviour.
 [2002-02-03 22:47 UTC] chris at k2labs dot org
A couple of comments.

Kris, in regards to your comment on NOV-27-2001 at 1:48PM, that code will fail because you cannot set a cookie and give a Location header in the same HTTP response. Well, you *can*, but your cookie will not be set. Since the server would not be able to identify the client without the cookie, you get the unexpected behavior. This is a protocol-level situation, but is generally *not* considered a bug in HTTP (in case you got the feeling I was supporting that idea). Basically, PHP gives you the freedom to specify your own headers in the HTTP response, but you need to have a clear grasp of what they do to use them.

So, if this example was a clear illustration of the problem you've been having, it's not a bug in PHP. You can spread that around to others who are having the same problems.

Also, in regards to the time/date discussion, it is correct to say that the browser uses the client time (obviously) to determine whether to send a cookie along with subsequent HTTP requests. It is also correct to say that the setcookie function uses the server time to set the expiration date. However, since both are in GMT as sander@php.net explained (sorry, I don't know your name), this only matters if both clocks are considerably out of sync or if the expiration time of the cookie is extremely small. If this is a concern, consider using client-side scripting to set the cookie, so that the browser itself creates the cookie based on its own time. You can create the client-side script itself using PHP, so that the cookie's value can still be dynamically generated by your PHP scripts.

Hope that clears a few things up. If this didn't solve your problem, please post another small example, and I'll try to reproduce your environment.
 [2002-02-06 12:33 UTC] alindeman@php.net
Is this even a bug?  It's under documentation problem.  Do I need to change something in the documentation?

 [2002-02-06 14:00 UTC] shiflett@php.net
I'm changing the category to HTTP and status to feedback. I do not think this is a bug but want to give the submitter time to respond to my inquiry.
 [2002-03-07 00:00 UTC] php-bugs at lists dot php dot net
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
 [2003-02-05 13:44 UTC] mike at cibal dot es
I have a PHP script that sets a cookie as follows:

$cookie_expire = time()+3600;                              $cookie_name= "loginpipoclub";                              
$value= "mike";                                                  
setcookie ($cookie_name, $value, $cookie_expire);                                                   
THis IS NOT WORKING anymore (I swear it did work
!).  So I have finally tried to find out why the cookie is not being set by using Telnet.  The response I get in the header shows that the cookie is expired, but I cannot understand WHY!!!  THE server time shows the correct time/date according to my system and my watch BUT THE COOKIE IS MARKED AS DELETED (SEE SetCookie: header below) despite the fact that I have set it to expire at time() + 3600.   In fact, the expiry date is marked to be last year.

HERE IS THE RESPONSE FROM THE SERVER USING TELNET ON PORT 80:

HTTP/1.1 200 OK                                                                 
Date: Wed, 05 Feb 2003 19:40:29 GMT                                             
Server: Apache/1.3.22 (Unix) mod_ssl/2.8.5 OpenSSL/0.9.6a PHP/4.0.6 mod_perl/1.0
X-Powered-By: PHP/4.0.6                                                         
Set-Cookie: loginpipoclub=deleted; expires=Tue, 05-Feb-02 19:40:39 GMT; path=/;m
Transfer-Encoding: chunked                                                      
Content-Type: text/html                                                         
PLEASE, CAN ANYONE SHED SOME LIGHT ON THIS. I have been looking all over the internet on various forums BUT i cannot get a solution to the problem,

I am using PHP/MYSQL on a unix system in the US, which i am accessing from telnet in spain. My browser is Internet Explorer 6.0.128 (initially i thought it was a browser issue since I had this working on other browsers, but the telnet proof shows that it is not a browser issue, the cookie has in fact been marked as DELETED!!!!).

regards
Mike Ferrer
 [2003-02-05 13:50 UTC] mike at cibal dot es
Oh, I forgot to mention IN THE PREVIOUS POSTING, MY SETUP IS AS FOLLOWS:

PHP/4.0.6 
APACHE 1.3.22 (Unix)
 [2003-02-05 13:50 UTC] mike at cibal dot es
Oh, I forgot to mention IN THE PREVIOUS POSTING, MY SETUP IS AS FOLLOWS:

PHP/4.0.6 
APACHE 1.3.22 (Unix)
 [2003-11-24 21:10 UTC] pletiplot at seznam dot cz
$SessionID = md5(uniqid(""));
SetCookie("sigla_cookie", $loginname, time()+3600, $DIRECTORY);
SetCookie("SessionID", $SessionID, time()+3600, $DIRECTORY);

The first is not send at all, I traced the tcpdump.
The second is send normaly.
If I change order, I stil get the second a do not get the first.
The same script on other machine PHP 4.2.2 works.

PHP 4.0.6
Server version: Apache/1.3.20 (Unix)  (Red-Hat/Linux)
Server built:   Sep  5 2001 23:12:29
 [2003-11-24 21:12 UTC] pletiplot at seznam dot cz
$SessionID = md5(uniqid(""));
SetCookie("sigla_cookie", $loginname, time()+3600, $DIRECTORY);
SetCookie("SessionID", $SessionID, time()+3600, $DIRECTORY);

The first is not send at all, I traced the tcpdump.
The second is send normaly.
If I change order, I stil get the second a do not get the first.
The same script on other machine PHP 4.2.2 works.

PHP 4.0.6
Server version: Apache/1.3.20 (Unix)  (Red-Hat/Linux)
Server built:   Sep  5 2001 23:12:29
 [2010-08-25 16:05 UTC] shiflett@php.net
-Status: No Feedback +Status: Closed
 [2010-08-25 16:05 UTC] shiflett@php.net
Cleaning up an old bug.
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Wed Oct 23 21:01:33 2019 UTC