php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #18337 General cookies have higher priority than specific
Submitted: 2002-07-14 09:09 UTC Modified: 2002-11-06 10:40 UTC
Votes:5
Avg. Score:4.0 ± 0.9
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:0 (0.0%)
From: shaggy at vip dot bg Assigned:
Status: Not a bug Package: HTTP related
PHP Version: 4.2 OS: All
Private report: No CVE-ID: None
View Developer Edit
 [2002-07-14 09:09 UTC] shaggy at vip dot bg 
I use PHP compiled from sources,

./configure --with-pgsql --with-mysql --with-zlib --with-apache=dir

Consider the following code has been executed, and another page loaded

setcookie('test', 'value1', time()+3600, '/foo/bar/');
setcookie('test', 'value2', time()+3600, '/');
setcookie('test', 'value3', time()+3600, '/foo/');

When a browser requests a file under the /foo/bar/ directory it sends the cookies
with the most specific one first:
test="value1"; $Path="/foo/bar";
test="value3"; $Path="/foo/";
test="value2"; $Path="/";

Then PHP processes these and it overrides the first two cookies with the most general one which is incorrect.

The correct behaviour is to leave the value of the cookie set to the most specific one.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2002-07-14 09:28 UTC] derick@php.net 
Working on it...

Derick
 [2002-07-14 11:26 UTC] derick@php.net 
Partly fix can be found here:
http://files.derickrethans.nl/cookie_patch.diff

As I have no more time to finish it I just share it here, it works, but not for registered globals.

Derick
 [2002-08-06 14:05 UTC] blackdragon3001 at hotmail dot com 
I have win XP and PHP 4.2.2!
I have the same problem!

I have see this :http://files.derickrethans.nl/cookie_patch.diff
but can I use this and how?
 [2002-08-08 06:54 UTC] jait at ee dot oulu dot fi 
Correct me if I'm wrong but according to

http://wp.netscape.com/newsref/std/cookie_spec.html

it seems that there can be multiple cookie definitions with the same name. And as long as the path is different NONE of them should get overrided.

And if BOTH name and path equal the most recent cookie should be the only one that's valid.

So don't you think the correct behaviour is to pass ALL the cookies to the script as long as the path is different?

But this is kinda difficult with the way the $_COOKIE array is currently implemented.

jt
 [2002-08-08 19:10 UTC] shaggy at vip dot bg 
You're quiete right, the problem is I don't know how one can store this information in the _COOKIE array without breaking old apps.

The Netscape docs actually are superceded by an RFC, anyway it says that if there's more than one cookie the most specific should be taken into account - if the app can't deal with them all.
 [2002-08-09 16:25 UTC] dsguy04 at hotmail dot com 
how do i fix it using http://files.derickrethans.nl/cookie_patch.diff ??????
what do i do with that stuff?????? im having this prob too
 [2002-08-09 19:39 UTC] shaggy at vip dot bg 
Depends on your OS:
On Unices say man patch to get the idea.

If you're on Windows search for Deloire/Cygnus and diffutils, unpack and patch.exe is in the bin directory.
Note: This is not a support forum or something.
 [2002-11-06 10:40 UTC] iliaa@php.net 
Sorry, but your problem does not imply a bug in PHP itself.  For a
list of more appropriate places to ask for help using PHP, please
visit http://www.php.net/support.php as this bug system is not the
appropriate forum for asking support questions. 

Thank you for your interest in PHP.

This is more of a browser issue then anything else. I did a tcpdump of what is happening with your test code. All 3 cookie headers are sent by PHP, it is then up to the browser to determine which cookie to keep and send back.
For example Mozilla 1.0, Opera 6.02 and IE 6.0 have sent back the following header 'Cookie: test=value2', while Konqueror sent back Cookie: test=value3; test=value1.

It seems to me, that it is the browser's job to decide which cookie to keep and which to throw away.

 sent the last cookie only (value 3), Konqueror 3.0 sent 'Cookie: test=value3; test=value1'.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Dec 21 16:01:28 2024 UTC