|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17178 SetCookie: updated specs
Submitted: 2002-05-13 09:00 UTC Modified: 2002-08-15 17:39 UTC
From: public at macfreek dot nl Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.1.2 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: public at macfreek dot nl
New email:
PHP Version: OS:


 [2002-05-13 09:00 UTC] public at macfreek dot nl
PHP seems to implement to original Cookie *proposal* by Netscape. However, there are two newer *Standard* specifications by the IETF. "Persistent Client State -- HTTP Cookies" "HTTP State Management Mechanism" "HTTP State Management Mechanism"

Since RFC 2109 is already over 5 years old, I would recommend implementing it over the by long deprecated Netscape specification. The major change is that the Expire attribute is replaced with the Max-Age attribute, eliminating the problem of time synchronization between client and server. Of course, you can sent both attributes.

I would not implement RFC 2965 yet, since it defines the Set-Cookie2 header, which is possibly not widely supported yet.

Also, please read the security considerations. For example, about spoofing:

   Proper application design can avoid spoofing attacks from related
   domains.  Consider:

      1. User agent makes request to, gets back
         cookie session_id="1234" and sets the default domain

      2. User agent makes request to, gets back cookie
         session-id="1111", with Domain="".

      3. User agent makes request to again, and

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=""

         The server at should detect that the second
         cookie was not one it originated by noticing that the Domain
         attribute is not for itself and ignore it.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-15 17:39 UTC]
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit

Thank you for your interest in PHP.

Despire the RFC being 5 year old, after doing tests with a number of browsers I've found that some like Konqueror outright ignore the RFC while others like Mozilla and IE support it partially.
Since this is the case until at least all new browsers begin to support this PHP will not adopt the RFC.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Jul 13 07:01:28 2024 UTC