php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69523 setcookie() uses second parameter as name (first param)
Submitted: 2015-04-24 10:55 UTC Modified: 2015-05-12 08:50 UTC
From: florian dot schmidt dot welzow at t-online dot de Assigned: jpauli
Status: Closed Package: *Web Server problem
PHP Version: Irrelevant OS: Ubuntu 14.04.2
Private report: No CVE-ID:
 [2015-04-24 10:55 UTC] florian dot schmidt dot welzow at t-online dot de
Description:
------------
If you use the script provided in "Test script" section, you''ll set a new cookie with the name "value" and an empty value. That seems to be a false behavior, the name of the cookie is required[1] and php should throw a fatal error, if an empty name is provided.

[1] http://php.net/manual/de/function.setcookie.php

Test script:
---------------
setcookie('', 'value', time()+10);
var_dump($_COOKIE);

Expected result:
----------------
Warning/Fatal error

Actual result:
--------------
A new cookie set with "value" as "name"

Patches

not_tested_check_for_name_argument (last revision 2015-04-24 11:11 UTC) by florian dot schmidt dot welzow at t-online dot de)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-24 14:49 UTC] cmb@php.net
-Status: Open +Status: Not a bug -Package: Output Control +Package: *Web Server problem -Assigned To: +Assigned To: cmb
 [2015-04-24 14:49 UTC] cmb@php.net
Consider the following statement:

  setcookie('', 'value');
  
This constructs the following header field:

  Set-Cookie: =value
  
This header field conforms to RFC 6265, section 4.1.1[1], because
cookie-name may be empty. So PHP allows what is permitted according
to the relevant RFC.

What's happening on the client side is not a PHP issue. The
behavior your are describing (name and value are swapped) happens
on Chrome 42.0.2311.90 m, but not on Firefox 37.0.2, for instance.

[1] <http://tools.ietf.org/html/rfc6265#section-4.1.1>
 [2015-04-28 23:50 UTC] a at b dot c dot de
That RFC gives the productions

 set-cookie-header = "Set-Cookie:" SP set-cookie-string
 set-cookie-string = cookie-pair *( ";" SP cookie-av )
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 token             = <token, defined in [RFC2616], Section 2.2>

Where the latter reference defines "token" as
       token          = 1*<any CHAR except CTLs or separators>

CTL being ASCII control characters and "separators" being a list of punctuation marks.

So a cookie-name has to be a token, which is by definition _at least_ one character long.
 [2015-04-29 00:00 UTC] requinix@php.net
Given that a name-less Set-Cookie header can cause problems (at the very least unexpected, probably browser-dependent behavior), a warning and no header seems like a good idea. Would be an easy patch too.
 [2015-04-29 00:39 UTC] cmb@php.net
-Status: Not a bug +Status: Open
 [2015-04-29 00:39 UTC] cmb@php.net
> cookie-name       = token
> token          = 1*<any CHAR except CTLs or separators>

Obviously, you're right and I was mistaken.

> [...] a warning and no header seems like a good idea.

A notice might suffice, and it may be considered to check the
cookie name against the specified grammar (not only hinting at
empty names).
 [2015-05-01 22:24 UTC] cmb@php.net
-Status: Assigned +Status: Analyzed -Assigned To: cmb +Assigned To:
 [2015-05-12 08:50 UTC] jpauli@php.net
-Status: Analyzed +Status: Feedback
 [2015-05-12 08:50 UTC] jpauli@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/

I merged the PR with a WARNING error, we still can change it to a NOTICE in the future, if someone objects.
 [2015-05-12 08:50 UTC] jpauli@php.net
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: jpauli
 [2015-05-12 08:50 UTC] jpauli@php.net
Please try using this snapshot:

  http://snaps.php.net/php-trunk-latest.tar.gz
 
For Windows:

  http://windows.php.net/snapshots/


 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Fri Jul 21 08:01:41 2017 UTC