php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #17050 PHP not reading/writing cookies properly
Submitted: 2002-05-06 15:42 UTC Modified: 2002-06-28 01:45 UTC
Votes:8
Avg. Score:5.0 ± 0.0
Reproduced:7 of 7 (100.0%)
Same Version:5 (71.4%)
Same OS:4 (57.1%)
From: csaba at alum dot mit dot edu Assigned:
Status: Not a bug Package: *General Issues
PHP Version: 4.2.0 OS:
Private report: No CVE-ID: None
View Developer Edit
 [2002-05-06 15:42 UTC] csaba at alum dot mit dot edu 
This bug concerns & and = in cookies which is supported (ie. document.cookies) in my Netscape 6.1 and IE 5.5 on my Win2K, Apache 2.0.35, PHP 4.2 (as module) system.

I have made the following test:  First, using Header in the index.php test file below, I set a cookie by the name of CookieTest to the following: Var1=Hi%20Mom&Var2=Frob
The script below demonstrates that the cookie is received by the browser, but PHP fails to put the cookie into $_COOKIE (and $_REQUEST).

<html><head><title>Testing cookies</title></head><body>
<?php
    Header("Set-Cookie: CookieTest=Var1=Hi%20Mom&Var2=Frob; expires=Thu, 07-May-02 00:00:00 GMT; path=/");
    $aHeaders = getallheaders();
    foreach ($aHeaders as $key=>$hdr)
        print "<br>Header $key: $hdr\r\n";
?>
<br><br>Cookies according to browser:<br>
<script>document.write(document.cookie)</script>
<?php phpinfo(); ?>
</body></html>

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-05-10 09:40 UTC] arat155 at icqmail dot com 
I have the same problem.
 [2002-05-21 02:36 UTC] jbeck at terabit dot ca 
One of my servers froze. When I rebooted it would no longer read any cookies. I don't know if the freezing is related but it might be...

I am using php 4.0.6
 [2002-05-28 09:39 UTC] stefan at traskelin dot com 
I was using PHP 4.1.1 on Win32 and Apache 1.3.24. I had to restart my server and then it doesn't seem to work any longer. 

I have reinstalled Apache and updated PHP to 4.2.1. The PHP script doesn't seem to get the value. However when I include the phpinfo()-function, it can tell me about the cookies...
 [2002-06-27 23:09 UTC] sniper@php.net 
Cookies are available to scripts in the NEXT run, not the same.
 [2002-06-28 01:35 UTC] csaba at alum dot mit dot edu 
That's nice.  I agree with your statement, but it has no bearing on my bug report.  That's why I've marked the status Open again.
I'll spell out what you are looking for.  You have to run the test twice because on the first invocation (from client to server) no cookies have been set yet, as you point out.  The second invocation on IE can be accomplished by an F5 button, while with netscape, you may have to clear the disk/memory cache since the client may not run out to the server otherwise.
    Upon this (second) test, you will notice that in the section printed out by the php headers, we have an entry (correctly) reading:
    Header Cookie: CookieTest=Var1=Hi%20Mom&Var2=Frob
Right below this we have another entry (correctly) reading:
    Cookies according to browser:
    CookieTest=Var1=Hi%20Mom&Var2=Frob

So now we know that the cookie we set was correctly received by the browser, and that the server, in turn, has correctly received the cookie that was on the client machine.  Now let's see what PHP does with it.  In the PHP Variables (next to last) section of the phpinfo() we have two entries reading:

_COOKIE["CookieTest"]     |    Var1=Hi Mom&Var2=Frob
_SERVER["HTTP_COOKIE"]    |    CookieTest=Var1=Hi%20Mom&Var2=Frob 

Evidently, PHP has interpreted that %20 as a space.  I have not been able to find any documentation for this behaviour, and that is what I am reporting.  Browser documentation generally encourages using escape() to ensure that no illegal characters are embedded within a cookie, but this is not the only way.  Ultimitely, it means that I can't get all cookie values or use alternate encoding schemes unless I go to the original _SERVER["HTTP_COOKIE"].
 [2002-06-28 01:45 UTC] rasmus@php.net 
Cookies are treated like single GET or POST values in that their contents are urldecoded.  %20 is a space in standard urlencoding.  As you said, if you want to do your own decoding, you can simply use the raw cookie string.  You may not agree with the choice to urldecode, but that doesn't mean it is a bug.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Oct 30 00:00:02 2025 UTC