|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #69523 setcookie() uses second parameter as name (first param)
Submitted: 2015-04-24 10:55 UTC Modified: 2015-05-12 08:50 UTC
From: florian dot schmidt dot welzow at t-online dot de Assigned: jpauli (profile)
Status: Closed Package: *Web Server problem
PHP Version: Irrelevant OS: Ubuntu 14.04.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
Solve the problem:
45 + 39 = ?
Subscribe to this entry?

 [2015-04-24 10:55 UTC] florian dot schmidt dot welzow at t-online dot de
If you use the script provided in "Test script" section, you''ll set a new cookie with the name "value" and an empty value. That seems to be a false behavior, the name of the cookie is required[1] and php should throw a fatal error, if an empty name is provided.


Test script:
setcookie('', 'value', time()+10);

Expected result:
Warning/Fatal error

Actual result:
A new cookie set with "value" as "name"


not_tested_check_for_name_argument (last revision 2015-04-24 11:11 UTC by florian dot schmidt dot welzow at t-online dot de)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-04-24 14:49 UTC]
-Status: Open +Status: Not a bug -Package: Output Control +Package: *Web Server problem -Assigned To: +Assigned To: cmb
 [2015-04-24 14:49 UTC]
Consider the following statement:

  setcookie('', 'value');
This constructs the following header field:

  Set-Cookie: =value
This header field conforms to RFC 6265, section 4.1.1[1], because
cookie-name may be empty. So PHP allows what is permitted according
to the relevant RFC.

What's happening on the client side is not a PHP issue. The
behavior your are describing (name and value are swapped) happens
on Chrome 42.0.2311.90 m, but not on Firefox 37.0.2, for instance.

[1] <>
 [2015-04-28 23:50 UTC] a at b dot c dot de
That RFC gives the productions

 set-cookie-header = "Set-Cookie:" SP set-cookie-string
 set-cookie-string = cookie-pair *( ";" SP cookie-av )
 cookie-pair       = cookie-name "=" cookie-value
 cookie-name       = token
 token             = <token, defined in [RFC2616], Section 2.2>

Where the latter reference defines "token" as
       token          = 1*<any CHAR except CTLs or separators>

CTL being ASCII control characters and "separators" being a list of punctuation marks.

So a cookie-name has to be a token, which is by definition _at least_ one character long.
 [2015-04-29 00:00 UTC]
Given that a name-less Set-Cookie header can cause problems (at the very least unexpected, probably browser-dependent behavior), a warning and no header seems like a good idea. Would be an easy patch too.
 [2015-04-29 00:39 UTC]
-Status: Not a bug +Status: Open
 [2015-04-29 00:39 UTC]
> cookie-name       = token
> token          = 1*<any CHAR except CTLs or separators>

Obviously, you're right and I was mistaken.

> [...] a warning and no header seems like a good idea.

A notice might suffice, and it may be considered to check the
cookie name against the specified grammar (not only hinting at
empty names).
 [2015-05-01 22:24 UTC]
-Status: Assigned +Status: Analyzed -Assigned To: cmb +Assigned To:
 [2015-05-12 08:50 UTC]
-Status: Analyzed +Status: Feedback
 [2015-05-12 08:50 UTC]
Please try using this snapshot:
For Windows:

I merged the PR with a WARNING error, we still can change it to a NOTICE in the future, if someone objects.
 [2015-05-12 08:50 UTC]
-Status: Feedback +Status: Closed -Assigned To: +Assigned To: jpauli
 [2015-05-12 08:50 UTC]
Please try using this snapshot:
For Windows:

PHP Copyright © 2001-2022 The PHP Group
All rights reserved.
Last updated: Thu Jan 20 21:03:36 2022 UTC