|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #32802 General cookie overrides more specific cookie (path)
Submitted: 2005-04-23 14:19 UTC Modified: 2005-05-17 20:42 UTC
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:2 (100.0%)
Same OS:1 (50.0%)
From: ast at gmx dot ch Assigned: ilia (profile)
Status: Closed Package: HTTP related
PHP Version: 4CVS-2005-05-17 OS: *
Private report: No CVE-ID: None
 [2005-04-23 14:19 UTC] ast at gmx dot ch
------------, you closed the bug prematurely. It is indeed a PHP bug. Let me explain...

From RFC 2965, which obsoletes 2109, and is the reference for cookie / HTTP state management mechanism:
See 4.2  Example 2

Imagine the user agent has received, in response to earlier requests,
   the response headers

   Set-Cookie2: Part_Number="Rocket_Launcher_0001"; Version="1";


   Set-Cookie2: Part_Number="Riding_Rocket_0023"; Version="1";

   A subsequent request by the user agent to the (same) server for URLs
   of the form /acme/ammo/...  would include the following request

   Cookie: $Version="1";
           Part_Number="Riding_Rocket_0023"; $Path="/acme/ammo";
           Part_Number="Rocket_Launcher_0001"; $Path="/acme"

   Note that the NAME=VALUE pair for the cookie with the more specific
   Path attribute, /acme/ammo, comes before the one with the less
   specific Path attribute, /acme.  Further note that the same cookie
   name appears more than once.

Also from the RFC:
If multiple cookies satisfy the criteria above, they are ordered in
the Cookie header such that those with more specific Path attributes
precede those with less specific. Ordering with respect to other
attributes (e.g., Domain) is unspecified.

My example is a little specific, but is described in

I tested with ethereal, to look into the packets my browser actually sent to the webserver. IE and FF behave the same way.
The HTTP header containing the cookies looked the same in both browsers and conformed to the RFC2965.
The most specific matched cookies (path) are listed first, the least specific matching cookies last, all NAME=VALUE pairs are delimited by a semicolon.

There are a number of options to retrieve cookie data in php. $_COOKIE is indexed by NAME, so you get only a single cookie if mutliple cookies have the same NAME but a different path. That's not good. 
And $_COOKIE['COOKIENAME'] is the least specific cookie. I guess, php just runs through the Cookie: header and does something like $_COOKIE[$NAME] = $value, replacing more specific cookies with less specific cookies.

$_GLOBALS['HTTP_SERVER_VARS'] lists all cookies, according to the RFC2965 specification! That's good.
Same for $_GLOBALS['_SERVER']['HTTP_COOKIE'] = $_SERVER['HTTP_COOKIE']. This is good!

Example showing multiple cookies with NAME = GALLERYSID (they have different paths), I have this from print_r($_SERVER):
[HTTP_COOKIE] => GALLERYSID=6fb8f64ad5107c62b812f9c4d3cd69b0; G2_hybrid=1%3B5%3B1%3B1%3B1%3B0%3B; xarayaclassic_textsize=Small classictext; GALLERYSID=8603809d6b5671bbef5d4b8465d0db89; xarayaclassic_colscheme=null

So the browsers comply with RFC 2965, but PHP doesn't.

What should be fixed:
The most specific path matched cookie should be in the $_COOKIE array, not the least specific matched cookie! I.e. when parsing HTTP header  Cookie: from left to right, do this:
if (!isset($_COOKIE[$name])) {
    $_COOKIE[$name] = $value;
instead of just 
$_COOKIE[$name] = $value;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-04-24 03:21 UTC] ast at gmx dot ch
Here is a fix for my application. 

     * Fix the superglobal $_COOKIE to conform with RFC 2965
     * We don't use $_COOKIE[$cookiename], because it doesn't conform to RFC 2965 (the
     * cookie standard), i.e. in $_COOKIE, we don't get the cookie with the most specific path for
     * a given cookie name, we get the cookie with the least specific cookie path.
     * This function does it exactly the other way around to conform with the RFC.
     * This function reevaluates the HTTP Cookie header and populates $_COOKIE with the correct
     * cookies.
     * @static
    function fixCookieVars() {
	     if (isset($_SERVER['HTTP_COOKIE']) && !empty($_SERVER['HTTP_COOKIE'])) {
		$allCookies = explode(';', $_SERVER['HTTP_COOKIE']);
		 * Get rid of less specific cookies if multiple cookies with the same NAME
		 * are present. Do this by going from left/first cookie to right/last cookie.
                /* Reset the $_COOKIE array */
		$_COOKIE = array();
                /* Repopulate it, but now correctly */
		foreach ($allCookies as $cookie) {
		    /* Split NAME [=VALUE], value is optional */
		    $cookie = explode('=', $cookie);
		    $key = preg_replace('|\s|', '', $cookie[0]);
		    $value = isset($cookie[1]) ? $cookie[1] : '';
		    if (!isset($_COOKIE[$key])) {
			$_COOKIE[$key] = $value;
 [2005-04-24 14:01 UTC]
Reproduce script:


setcookie("TestCookie", "Value1", time()+3600, "/test/");
setcookie("TestCookie", "Value2", time()+3600, "/");

if (!isset($_COOKIE['TestCookie'])) {
  header("Location: {$_SERVER['PHP_SELF']}");

echo '<pre>';
echo '</pre>';


 [2005-05-17 20:42 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Sat Dec 02 10:01:26 2023 UTC