PHP :: Bug #17178 :: SetCookie: updated specs

Bug #17178	SetCookie: updated specs
Submitted:	2002-05-13 09:00 UTC	Modified:	2002-08-15 17:39 UTC
From:	public at macfreek dot nl	Assigned:
Status:	Not a bug	Package:	HTTP related
PHP Version:	4.1.2	OS:	Any
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	public at macfreek dot nl
New email:
PHP Version:		OS:

New/Additional Comment:

[2002-05-13 09:00 UTC] public at macfreek dot nl

PHP seems to implement to original Cookie *proposal* by Netscape. However, there are two newer *Standard* specifications by the IETF.

http://www.netscape.com/newsref/std/cookie_spec.html "Persistent Client State -- HTTP Cookies"
http://www.ietf.org/rfc/rfc2109.txt "HTTP State Management Mechanism"
http://www.ietf.org/rfc/rfc2965.txt "HTTP State Management Mechanism"

Since RFC 2109 is already over 5 years old, I would recommend implementing it over the by long deprecated Netscape specification. The major change is that the Expire attribute is replaced with the Max-Age attribute, eliminating the problem of time synchronization between client and server. Of course, you can sent both attributes.

I would not implement RFC 2965 yet, since it defines the Set-Cookie2 header, which is possibly not widely supported yet.

Also, please read the security considerations. For example, about spoofing:

Proper application design can avoid spoofing attacks from related
domains. Consider:

1. User agent makes request to victim.cracker.edu, gets back
cookie session_id="1234" and sets the default domain
victim.cracker.edu.

2. User agent makes request to spoof.cracker.edu, gets back cookie
session-id="1111", with Domain=".cracker.edu".

3. User agent makes request to victim.cracker.edu again, and
passes

Cookie: $Version="1"; session_id="1234",
$Version="1"; session_id="1111"; $Domain=".cracker.edu"

The server at victim.cracker.edu should detect that the second
cookie was not one it originated by noticing that the Domain
attribute is not for itself and ignore it.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2002-08-15 17:39 UTC] iliaa@php.net

Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit http://www.php.net/support.php

Thank you for your interest in PHP.

Despire the RFC being 5 year old, after doing tests with a number of browsers I've found that some like Konqueror outright ignore the RFC while others like Mozilla and IE support it partially.
Since this is the case until at least all new browsers begin to support this PHP will not adopt the RFC.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2023 The PHP Group All rights reserved.	Last updated: Thu Jun 08 18:03:36 2023 UTC