PHP :: Bug #43311 :: setcookie should not be able to set cookies larger than 4096 bytes

Bug #43311	setcookie should not be able to set cookies larger than 4096 bytes
Submitted:	2007-11-16 01:30 UTC	Modified:	2007-11-18 13:55 UTC
From:	crrodriguez at suse dot de	Assigned:	iliaa (profile)
Status:	Not a bug	Package:	*General Issues
PHP Version:	5.3CVS-2007-11-16 (CVS)	OS:	Irrelevant
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	crrodriguez at suse dot de
New email:
PHP Version:		OS:

New/Additional Comment:

[2007-11-16 01:30 UTC] crrodriguez at suse dot de

Description:
------------
The following report caught my attention 

http://www.securityfocus.com/archive/1/483705

That is indeed a bug in Konqueror, but if you look the "reproduce code" it says.

Reproduce code:
---------------
<?php

ini_set("memory_limit","200M");

setcookie("hi_fox", str_repeat("A",19999999));

?>

Expected result:
----------------
PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes.

http://www.15seconds.com/faq/Cookies/388.htm

http://wp.netscape.com/newsref/std/cookie_spec.html


E-Warning "Cookie cannot store more than %d bytes of data"

Actual result:
--------------
PHP setting a 200MB cookie anyway.


patch here : http://rafb.net/p/zs0ojA57.html

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-11-16 03:26 UTC] judas dot iscariote at gmail dot com

corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) 

http://www.flyspray.org/patches/setcookie-4096btyesonly.patch

[2007-11-16 08:17 UTC] yoy dot noneoff at dfgh dot net

http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965

RFCS linked from the setcookie function docs

"
...
     *  at least 300 cookies

      *  at least 4096 bytes per cookie (as measured by the characters
         that comprise the cookie non-terminal in the syntax description
         of the Set-Cookie2 header, and as received in the Set-Cookie2
         header)
...
"

keyword:at least 

so basicly php should not limit cookie length, it up to the client/browser how to handle it.

[2007-11-16 08:23 UTC] judas dot iscariote at gmail dot com

PHP implements the netscape spec, **not** the RFC one

"When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes"

"Servers should not expect clients to be able to exceed these limits"


In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging  harder.

[2007-11-16 08:51 UTC] crrodriguez+php at suse dot de

also imagine the following code

setcookie ("foo", $_GET['reallybigdata']) 

it can also exausts the PHP process or system memory(dependding on the memory limit)for no gain because the browser will truncate it anyway.

[2007-11-16 09:54 UTC] yoy dot noneoff at dfgh dot net

ie7 increased the number of cookies per domain from 20 to 50, like other browsers.

so why not limiting php to set max 20 cookies per domain like NS "mention"?

Netscape also follow these rfc

if the client ignore part of the cookie it's not PHP concern.
what if I built an application follow the rfc and php artificially limiting me?

[2007-11-16 12:38 UTC] jani@php.net

In my opinion it's up to the coder to decide what he allows to be put in cookies set. If he/she does't bother doing any filtering or such for and inserts blindly input data there, it's his/her fault..

[2007-11-18 13:55 UTC] iliaa@php.net

While it would be absolutely trivial to add an artificial limit of 4K or 
any other arbitrary # as the maximum cookie length. This would not be 
correct and has a good chance of breaking existing applications.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Mon Apr 29 14:01:30 2024 UTC