php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #67736 setcookie() not updating existing cookies
Submitted: 2014-08-01 14:02 UTC Modified: 2014-08-01 17:10 UTC
Votes:7
Avg. Score:4.9 ± 0.3
Reproduced:4 of 6 (66.7%)
Same Version:3 (75.0%)
Same OS:1 (25.0%)
From: brad at bradb dot net Assigned:
Status: Verified Package: *General Issues
PHP Version: 5.6.0 OS: Linux (Ubuntu)
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: brad at bradb dot net
New email:
PHP Version: OS:

 

 [2014-08-01 14:02 UTC] brad at bradb dot net
Description:
------------
Multiple calls to setcookie() with the same name are not resulting in the cookie header being updated, but instead appended. So the headers are being returned with multiple cookies of the same name. As there seems to be no standard for which browsers select in this instance, it creates headaches! 

Also reinstalled 5.5.9 and seeing the same issue, again via the Ubuntu package.

It seems to occur with both setcookie() and setrawcookie(). A simple test will show the issue:

Here's the output of the test script.



Test script:
---------------
<?php

setcookie("test", "abc");
setcookie("test", "def");


Expected result:
----------------
HTTP/1.1 200 OK
Date: Fri, 01 Aug 2014 13:46:05 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.6.0RC2
Set-Cookie: test=def
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT, HEAD
Access-Control-Allow-Headers: Origin,Content-Type,Accept,Authorization
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


Actual result:
--------------
HTTP/1.1 200 OK
Date: Fri, 01 Aug 2014 13:46:05 GMT
Server: Apache/2.4.10 (Ubuntu)
X-Powered-By: PHP/5.6.0RC2
Set-Cookie: test=abc
Set-Cookie: test=def
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT, HEAD
Access-Control-Allow-Headers: Origin,Content-Type,Accept,Authorization
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8


Patches

Fixes-setcookie-to-only-send-one-Set-Cookie-header-per-header-name (last revision 2014-08-31 17:13 UTC) by florian at margaine dot com)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-08-01 17:10 UTC] tyrael@php.net
-Status: Open +Status: Verified -PHP Version: 5.6.0RC3 +PHP Version: 5.6.0
 [2014-08-01 17:10 UTC] tyrael@php.net
I think we should fix this.
rfc6265 (latest rfc defining http cookies) states that 
"Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name."
 [2014-09-01 00:19 UTC] Danack at basereality dot com
(X-posting from PR)

The PHP code does not have a bug. The RFC does not forbid sending multiple cookies with the same name:

"Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name. (See Section 5.2 for how user agents handle this case.)"

Although it is definitely not recommended, the RFC does not say MUST NOT.

Even if it was forbidden by the RFC, it is not PHP's job to enforce conformance to RFCs. That is up to the programmer using PHP to not send improper data.

The idea of having setcookie magically modifying the cookie header that is sent is not good. It would be adding more magic behaviour to PHP to cover up the fact that the programmer who is calling setcookie() has a bug in their code.

Adding a warning is enough. It tells people that they are doing something that is probably unwise, but is technically allowed. Doing anything more is not only the wrong thing to do anyway, but introduces a backwards compatibility break for no good reason.

If someone is unaware they are calling setcookie() twice with the same name, the error will alert them and allow them to fix their code.

If someone is deliberately calling setcookie() twice with the same name (e.g. for a legacy application that knows how to handle multiple cookies with the same name) then they will need to continue using the current behaviour.

Changing the behaviour just because it would be a bit 'better' is not a good idea. There needs to be a clear reason for changing the behaviour, and I don't think there is one here.
 [2014-09-08 13:12 UTC] craig at craigfrancis dot co dot uk
There might be a case with sessions... e.g. if you called session_start() more than once.

While this is not normal, in a high security application you might do a session_start() and a session_regenerate_id(true) when the user logs in... then because of bug 61470, you will need to follow up with a session_write_close() and session_start() as well (important if the login process takes a while, and you need the session file to also act as a lock file)... in this case the "set-cookie" header is sent 3 times.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC