|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #35975 session_set_cookie_params and setcookie
Submitted: 2006-01-12 01:32 UTC Modified: 2008-12-11 02:07 UTC
Avg. Score:3.3 ± 1.7
Reproduced:2 of 3 (66.7%)
Same Version:0 (0.0%)
Same OS:2 (100.0%)
From: waitman at waitman dot net Assigned:
Status: Closed Package: Feature/Change Request
PHP Version: 4.4.1 OS: Linux
Private report: No CVE-ID: None
 [2006-01-12 01:32 UTC] waitman at waitman dot net
Both the session_set_cookie_params() and setcookie() functions output dates in the format:


Which appears to be correctly parsed in browsers such as MSIE and Mozilla/Firefox. However, I have noticed that some of the popular Mobile Client Web Browsers (such as OpenWave) do not parse the date properly and set the "expires" value to the end of the current session, regardless of the "expires" value intended.

According to RFC 2109, the "expires" value is obsolete and replaced with "max-age" (which is not set by either function listed above). But it does state that browser vendors should be aware that the "Expires" tag may be used as defined by the original Netscape proposal.

The original Netscape proposal states the following about the Expire value:

"The date string is formatted as:


This is based on RFC 822, RFC 850, RFC 1036, and RFC 1123, with the variations that the only legal time zone is GMT and the separators between the elements of the date must be dashes."

My opinion is that either the PHP functions should use the "Max Age" value (with an integer indicating number of seconds) per the RFC or the date format returned should have the dash between the day, month and year.

Reproduce code:

setcookie("foo", "bar", $time, "/", "", 0);

// and

session_set_cookie_params ( 10000, "/", "", 0);


Expected result:
200 OK
Set-Cookie: foo=bar; expires=Sun, 09-Mar-2008 09:01:01 GMT; path=/;
Set-Cookie: PHPSESSID=e5e7ea79f6450d219c7471e559a29bab; expires=Thu, 12-Jan-2006 03:16:47 GMT; path=/;

Actual result:
200 OK
Set-Cookie: foo=bar; expires=Sun, 09 Mar 2008 09:01:01 GMT; path=/;
Set-Cookie: PHPSESSID=e5e7ea79f6450d219c7471e559a29bab; expires=Thu, 12 Jan 2006 03:16:47 GMT; path=/;


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2008-11-27 10:20 UTC] odbc3 at hotmail dot com
The setcookie() is working fine in 5.2.6 on windows and Linux.
The session_start() is still without hyphens in the date.
Mobile phones such as the Sony Erricson K800 or K850 will ignore the cookie if there is no hyphen.
A bug fix is crucial to provide correct operation of websites for mobiles.
 [2008-12-11 01:21 UTC]
This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
Thank you for the report, and for helping us make PHP better.

 [2008-12-11 02:07 UTC] waitman at waitman dot net
whoa. it's been a while. ;-) excellent, thanks!
PHP Copyright © 2001-2020 The PHP Group
All rights reserved.
Last updated: Thu May 28 02:01:25 2020 UTC