|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #76688 Cookie $options should not allow further arguments
Submitted: 2018-07-31 21:17 UTC Modified: 2018-08-07 21:39 UTC
From: Assigned: pmmaga (profile)
Status: Closed Package: Network related
PHP Version: 7.3Git-2018-07-31 (Git) OS: *
Private report: No CVE-ID: None
 [2018-07-31 21:17 UTC]
The support for SameSite cookie directives[1] introduced $option
parameters for setcookie(), setrawcookie() and
session_set_cookie_params(), but these appear to allow further
arguments to be passed, which does not appear to conform to the
respective RFC[2], and is generally confusing.

[1] <>
[2] <>

Test script:
session_set_cookie_params(array('path'=>'/foo/'), 'bar', '');

Expected result:
A warning regarding excess arguments, which should be ignored for
further processing.

Actual result:
array(6) {
  string(5) "/foo/"
  string(15) ""
  string(0) ""


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2018-07-31 21:29 UTC] phpdev at ehrhardt dot nl
Related to the same RFC implementation: php_setcookie requires a 9th argument now. This line:

leads to

serverresponse.c(1034): error C2198: 'php_setcookie': too few arguments for call

It only compiles on Windows if you add an extra argument NULL.
 [2018-07-31 21:33 UTC] phpdev at ehrhardt dot nl
The referenced line is

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly);

And has to be changed to

    php_setcookie(name, value, expires, path, domain, secure, !raw, httponly, NULL);

to make it compile.
 [2018-07-31 22:16 UTC]
@phpdev: That's right, this does come with an API change, and as with any new series existing extensions may not be source-compatible.
But just because it compiles does not mean it's correct. Simply adding NULL is wrong. You should wait until the author updates for PHP 7.3.
 [2018-07-31 23:07 UTC]
-Assigned To: +Assigned To: pmmaga
 [2018-08-07 21:39 UTC]
For reference: <>.
 [2018-08-12 13:50 UTC]
Automatic comment on behalf of
Log: Fix #76688: Disallow excessive parameters after options array
 [2018-08-12 13:50 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Mon May 29 10:03:44 2023 UTC