PHP :: Bug #78207 :: setrawcookie does not not behave like setcookie when overwriting

Bug #78207	setrawcookie does not not behave like setcookie when overwriting
Submitted:	2019-06-25 15:12 UTC	Modified:	2019-06-25 15:31 UTC
From:	nico at billiotte dot fr	Assigned:
Status:	Not a bug	Package:	Unknown/Other Function
PHP Version:	7.3.6	OS:	OSX + linux
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	nico at billiotte dot fr
New email:
PHP Version:		OS:

New/Additional Comment:

[2019-06-25 15:12 UTC] nico at billiotte dot fr

Description:
------------
---
From manual page: https://php.net/function.setrawcookie
---


Test script:
---------------
$id = $_REQUEST['id'];
$val = $_REQUEST['val'];

if( isset($_COOKIE['testcookie']) ){
     $cookie = json_decode($_COOKIE['testcookie'], true);
}

$moncookie[$id] = $val;
setrawcookie('testcookie', json_encode($cookie), 0, '/');



Expected result:
----------------
send id = 1 & val = "foo"
cookie = {1:foo} -> correct

then resend id = 2 & val = "bar"
cookie should contain {1:foo, 2:bar}




Actual result:
--------------
the cookie remains nothing changes
{1:foo} -> not correct

change setrawcookie by setcookie and add urldecode() and everything is fine you can "update" the cookie

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2019-06-25 15:31 UTC] daverandom@php.net

-Status: Open +Status: Not a bug

[2019-06-25 15:31 UTC] daverandom@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

This is the correct, intended behaviour - it is caused by the specific value for the cookie, rather than the general behaviour of the function.

If you turn on error reporting, you will find that the following warning is emitted:

> Warning: Cookie values cannot contain any of the following ',; \t\r\n\013\014' in ...

This is due to the syntax of the Cookie header in the HTTP protocol. The solution to this problem is to use setcookie() instead of setrawcookie(), which will correctly encode the values.

This issue arises because the JSON generated by the first request does not contain a comma, the second request adds a second element separated by a comma.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Apr 19 13:01:30 2024 UTC