php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16626 Only last cookie set
Submitted: 2002-04-15 17:19 UTC Modified: 2002-06-20 18:47 UTC
Votes:53
Avg. Score:4.8 ± 0.6
Reproduced:50 of 50 (100.0%)
Same Version:42 (84.0%)
Same OS:19 (38.0%)
From: svein dot olav at bjerkeset dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4.2.1 OS: All
Private report: No CVE-ID:
 [2002-04-15 17:19 UTC] svein dot olav at bjerkeset dot com
With Apache 2.0.35 and PHP 4.2.0RC4, only the last cookie
seems to get set.

Here is the PHP source I used for testing:

<?php
setcookie ('first_name', 'Svein', 0, '/');
setcookie ('last_name',  'Olav',  0, '/');
echo "<html><head></head><body>" .
        "<h1>Cookie test page</h1>\n";
while (list ($var,$val) = each ($HTTP_COOKIE_VARS)) {
        echo "Set-Cookie: $var=$val <br>\n";
}
echo "</body></html>";
?>

This script can be tested via the following URL:
   https://bjerkeset.dns2go.com/php/cookie.php

PHP was configured like this:
./configure \
        --prefix=/opt/php \
        --with-mysql=/opt/mysql \
        --with-config-file-path=/etc/opt/apache2 \
        --enable-track-vars \
        --enable-force-cgi-redirect \
        --with-gettext \
        --with-apxs2=/opt/apache2/bin/apxs

Svein Olav Bjerkeset

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-24 13:54 UTC] cabel-s at panic dot com
Now I know what "don't use this on a production server" means. :) Strangely, this bug also seems to affect header().

As a result of this bug, we replaced setcookie() with our own routine to write out cookies via header().

However, still, only one cookie (the last one) is being printed in the HTTP response headers (when I sniff the packets being sent).

It's very strange...

Here's the code we used to replace setcookie().

function send_htCookie() {
$vars=array('varname','varval','expire','path','domain','secure');

  for ($i=0;$i<func_num_args();$i++) {
    ${$vars[$i]}=func_get_arg($i);
  }

  if (!$varname) { return false; }

  $COOKIE = "Set-Cookie: $varname=$varval";
  if (isset($expire)) { $COOKIE .= "; EXPIRES=$expire";}
  if (isset($domain)) { $COOKIE .= "; DOMAIN=$domain"; }
  if (isset($path))   { $COOKIE .= "; PATH=$path"; }
  if (isset($secure) && $secure>0) { $COOKIE .= "; SECURE"; }

  header($COOKIE);
  return true;
}

Can anyone confirm that this, too, doesn't work for them?

I'll do more testing in the meantime...
 [2002-05-03 01:11 UTC] regina at hitel dot net
I did fix this problem by modifing "ext/standard/head.c".
The diff is below.
--------------------------------------------------------
124c124
<       return sapi_add_header(cookie, strlen(cookie), 0);
---
>       return sapi_add_header_ex(cookie, strlen(cookie), 0, 0 TSRMLS_CC);
--------------------------------------------------------

PS) This bug should be killed at next version. May be....
 [2002-05-17 03:12 UTC] jwoolley@php.net
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at http://snaps.php.net/. In case this was a documentation 
problem, the fix will show up soon at http://www.php.net/manual/.
In case this was a PHP.net website problem, the change will show
up on the PHP.net site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

Patch committed.  Thanks, regina!
 [2002-06-20 07:41 UTC] derick@php.net
Dup of #17663, please update only that bugreport!

Derick
 [2002-06-20 10:03 UTC] red at tripany dot com
Well after extensive testing, I have to conclude it's probably not a php (alone) problem.
I have tried:
PHP ver.     Apache ver.    --enable-so    works?   error
---------------------------------------------------------
4.2.1            2.0.39             yes       no     yes
2.1              36                 yes       yes    no
2.0              39                 yes       no     yes
2.0              36                 no        no     yes
2.0              36                 yes       yes    no
4.0.3pl1         1.3.9              ?         yes    ?

(4.0.3pl1 is the standard debian package)
The rest of the 2.1 installations (with apache 39) don't work and give errors, so there's some problem with the apxs interaction between php and httpd 2.0.39. As php2.1.0 works with httpd 2.0.36 I'm now assuming there was a change in the apxs of apache in the security fix version which renders the multiple cookies unwriteable. I'll send this off to apache as well.
Cheers
Robin
 [2002-06-20 14:55 UTC] marcum at austin dot rr dot com
I downloaded the latest cvs snapshot (php4.3 on 06/20) from http://snaps.php.net/ and compiled with apache 2.0.39. The setcookie function seems to be working in that release.
 [2003-12-29 08:02 UTC] erezoom at netvision dot net dot il
I have the same problem I installed the latesed versions but still it's not working !!!

What to do?
look:
www.artic.co.il
 [2004-02-16 08:02 UTC] g dot nivet at free dot fr
http://127.0.0.1/mysql/index.php

This is a simple way to start phpMyAdmin.

GN
 [2004-04-29 12:29 UTC] sourabh6526 at codewalkers dot com
had same problem here. Trying to solve it.
is it true we shuld use javascript to use cookies and not php directly? My seniors told me, so please clarify.

thnks.

robin
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Sun Apr 20 10:02:06 2014 UTC