|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #72071 setcookie allows max-age to be negative
Submitted: 2016-04-21 21:41 UTC Modified: -
Avg. Score:5.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: Assigned:
Status: Closed Package: *General Issues
PHP Version: 5.6.20 OS: Linux
Private report: No CVE-ID: None
 [2016-04-21 21:41 UTC]
I believe 7.x has the same issues, but I am using 5.6.x.

setcookie is setting a negative max-age value.  The RFC:

states max-age is delta-seconds, which is defined in RFC:

"The delta-seconds rule specifies a non-negative integer, representing time in seconds."

The test script below shows that the max age is getting set to negative values instead of zero.

In fixing this bug I noticed that it was also doing a time(NULL) instead of calling sapi_get_request_time().  I fixed that as well.

Test script:
setcookie("TestCookie-Now-3600", "1", time() - 3600);
setcookie("TestCookie-Now+3600", "1", time() + 3600);

Expected result:
Set-Cookie: TestCookie-Now-3600=1; expires=Thu, 21-Apr-2016 19:29:15 GMT; Max-Age=0
Set-Cookie: TestCookie-Now+3600=1; expires=Thu, 21-Apr-2016 21:29:15 GMT; Max-Age=3600

Actual result:
Set-Cookie: TestCookie-Now-3600=1; expires=Thu, 21-Apr-2016 19:29:09 GMT; Max-Age=-3600
Set-Cookie: TestCookie-Now+3600=1; expires=Thu, 21-Apr-2016 21:29:09 GMT; Max-Age=3600


max-age.diff (last revision 2016-04-21 21:41 UTC) by bfrance)

Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2017-04-09 11:15 UTC]
Automatic comment on behalf of
Log: Fixed bug #72071: Prevent Max-Age from being negative
 [2017-04-09 11:15 UTC]
-Status: Open +Status: Closed
PHP Copyright © 2001-2018 The PHP Group
All rights reserved.
Last updated: Sun Nov 19 01:31:42 2017 UTC