|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #17178 SetCookie: updated specs
Submitted: 2002-05-13 09:00 UTC Modified: 2002-08-15 17:39 UTC
From: public at macfreek dot nl Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.1.2 OS: Any
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
38 + 24 = ?
Subscribe to this entry?

 [2002-05-13 09:00 UTC] public at macfreek dot nl
PHP seems to implement to original Cookie *proposal* by Netscape. However, there are two newer *Standard* specifications by the IETF. "Persistent Client State -- HTTP Cookies" "HTTP State Management Mechanism" "HTTP State Management Mechanism"

Since RFC 2109 is already over 5 years old, I would recommend implementing it over the by long deprecated Netscape specification. The major change is that the Expire attribute is replaced with the Max-Age attribute, eliminating the problem of time synchronization between client and server. Of course, you can sent both attributes.

I would not implement RFC 2965 yet, since it defines the Set-Cookie2 header, which is possibly not widely supported yet.

Also, please read the security considerations. For example, about spoofing:

   Proper application design can avoid spoofing attacks from related
   domains.  Consider:

      1. User agent makes request to, gets back
         cookie session_id="1234" and sets the default domain

      2. User agent makes request to, gets back cookie
         session-id="1111", with Domain="".

      3. User agent makes request to again, and

         Cookie: $Version="1"; session_id="1234",
                 $Version="1"; session_id="1111"; $Domain=""

         The server at should detect that the second
         cookie was not one it originated by noticing that the Domain
         attribute is not for itself and ignore it.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-08-15 17:39 UTC]
Sorry, but the bug system is not the appropriate forum for asking
support questions. Your problem does not imply a bug in PHP itself.
For a list of more appropriate places to ask for help using PHP,
please visit

Thank you for your interest in PHP.

Despire the RFC being 5 year old, after doing tests with a number of browsers I've found that some like Konqueror outright ignore the RFC while others like Mozilla and IE support it partially.
Since this is the case until at least all new browsers begin to support this PHP will not adopt the RFC.
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Sep 20 12:03:37 2021 UTC