|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #16626 Only last cookie set
Submitted: 2002-04-15 17:19 UTC Modified: 2002-06-20 18:47 UTC
Avg. Score:4.8 ± 0.6
Reproduced:50 of 50 (100.0%)
Same Version:42 (84.0%)
Same OS:19 (38.0%)
From: svein dot olav at bjerkeset dot com Assigned:
Status: Closed Package: Apache2 related
PHP Version: 4.2.1 OS: All
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: svein dot olav at bjerkeset dot com
New email:
PHP Version: OS:


 [2002-04-15 17:19 UTC] svein dot olav at bjerkeset dot com
With Apache 2.0.35 and PHP 4.2.0RC4, only the last cookie
seems to get set.

Here is the PHP source I used for testing:

setcookie ('first_name', 'Svein', 0, '/');
setcookie ('last_name',  'Olav',  0, '/');
echo "<html><head></head><body>" .
        "<h1>Cookie test page</h1>\n";
while (list ($var,$val) = each ($HTTP_COOKIE_VARS)) {
        echo "Set-Cookie: $var=$val <br>\n";
echo "</body></html>";

This script can be tested via the following URL:

PHP was configured like this:
./configure \
        --prefix=/opt/php \
        --with-mysql=/opt/mysql \
        --with-config-file-path=/etc/opt/apache2 \
        --enable-track-vars \
        --enable-force-cgi-redirect \
        --with-gettext \

Svein Olav Bjerkeset


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-04-24 13:54 UTC] cabel-s at panic dot com
Now I know what "don't use this on a production server" means. :) Strangely, this bug also seems to affect header().

As a result of this bug, we replaced setcookie() with our own routine to write out cookies via header().

However, still, only one cookie (the last one) is being printed in the HTTP response headers (when I sniff the packets being sent).

It's very strange...

Here's the code we used to replace setcookie().

function send_htCookie() {

  for ($i=0;$i<func_num_args();$i++) {

  if (!$varname) { return false; }

  $COOKIE = "Set-Cookie: $varname=$varval";
  if (isset($expire)) { $COOKIE .= "; EXPIRES=$expire";}
  if (isset($domain)) { $COOKIE .= "; DOMAIN=$domain"; }
  if (isset($path))   { $COOKIE .= "; PATH=$path"; }
  if (isset($secure) && $secure>0) { $COOKIE .= "; SECURE"; }

  return true;

Can anyone confirm that this, too, doesn't work for them?

I'll do more testing in the meantime...
 [2002-05-03 01:11 UTC] regina at hitel dot net
I did fix this problem by modifing "ext/standard/head.c".
The diff is below.
<       return sapi_add_header(cookie, strlen(cookie), 0);
>       return sapi_add_header_ex(cookie, strlen(cookie), 0, 0 TSRMLS_CC);

PS) This bug should be killed at next version. May be....
 [2002-05-17 03:12 UTC]
This bug has been fixed in CVS. You can grab a snapshot of the
CVS version at In case this was a documentation 
problem, the fix will show up soon at
In case this was a website problem, the change will show
up on the site and on the mirror sites.
Thank you for the report, and for helping us make PHP better.

Patch committed.  Thanks, regina!
 [2002-06-20 07:41 UTC]
Dup of #17663, please update only that bugreport!

 [2002-06-20 10:03 UTC] red at tripany dot com
Well after extensive testing, I have to conclude it's probably not a php (alone) problem.
I have tried:
PHP ver.     Apache ver.    --enable-so    works?   error
4.2.1            2.0.39             yes       no     yes
2.1              36                 yes       yes    no
2.0              39                 yes       no     yes
2.0              36                 no        no     yes
2.0              36                 yes       yes    no
4.0.3pl1         1.3.9              ?         yes    ?

(4.0.3pl1 is the standard debian package)
The rest of the 2.1 installations (with apache 39) don't work and give errors, so there's some problem with the apxs interaction between php and httpd 2.0.39. As php2.1.0 works with httpd 2.0.36 I'm now assuming there was a change in the apxs of apache in the security fix version which renders the multiple cookies unwriteable. I'll send this off to apache as well.
 [2002-06-20 14:55 UTC] marcum at austin dot rr dot com
I downloaded the latest cvs snapshot (php4.3 on 06/20) from and compiled with apache 2.0.39. The setcookie function seems to be working in that release.
 [2003-12-29 08:02 UTC] erezoom at netvision dot net dot il
I have the same problem I installed the latesed versions but still it's not working !!!

What to do?
 [2004-02-16 08:02 UTC] g dot nivet at free dot fr

This is a simple way to start phpMyAdmin.

 [2004-04-29 12:29 UTC] sourabh6526 at codewalkers dot com
had same problem here. Trying to solve it.
is it true we shuld use javascript to use cookies and not php directly? My seniors told me, so please clarify.


PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Wed Apr 17 23:01:27 2024 UTC