php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17178 SetCookie: updated specs
Submitted: 2002-05-13 09:00 UTC Modified: 2002-08-15 17:39 UTC
From: public at macfreek dot nl Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.1.2 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: public at macfreek dot nl
New email:
PHP Version: OS:

 

 [2002-05-13 09:00 UTC] public at macfreek dot nl
PHP seems to implement to original Cookie *proposal* by Netscape. However, there are two newer *Standard* specifications by the IETF.

http://www.netscape.com/newsref/std/cookie_spec.html "Persistent Client State -- HTTP Cookies"
http://www.ietf.org/rfc/rfc2109.txt "HTTP State Management Mechanism"
http://www.ietf.org/rfc/rfc2965.txt "HTTP State Management Mechanism"

Since RFC 2109 is already over 5 years old, I would recommend implementing it over the by long deprecated Netscape specification. The major change is that the Expire attribute is replaced with the Max-Age attribute, eliminating the problem of time synchronization between client and server. Of course, you can sent both attributes.

I would not implement RFC 2965 yet, since it defines the Set-Cookie2 header, which is possibly not widely supported yet.

Also, please read the security considerations. For example, about spoofing:

   Proper application design can avoid spoofing attacks from related
   domains.  Consider:

      1. User agent makes request to victim.cracker.edu, gets back
         cookie session_id="1234" and sets the default domain
         victim.cracker.edu.

      2. User agent makes request to spoof.cracker.edu, gets back cookie
         session-id="1111", with Domain=".cracker.edu".

      3. User agent makes request to victim.cracker.edu again, and
         passes

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=".cracker.edu"

         The server at victim.cracker.edu should detect that the second
         cookie was not one it originated by noticing that the Domain
         attribute is not for itself and ignore it.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-15 17:39 UTC] iliaa@php.net
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

Despire the RFC being 5 year old, after doing tests with a number of browsers I've found that some like Konqueror outright ignore the RFC while others like Mozilla and IE support it partially.
Since this is the case until at least all new browsers begin to support this PHP will not adopt the RFC.
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Tue Aug 03 07:01:24 2021 UTC