|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #79174 setcookie() encodes space as `+`, but $_COOKIE no longer decodes them
Submitted: 2020-01-27 15:14 UTC Modified: 2020-01-28 14:39 UTC
Avg. Score:4.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:1 (100.0%)
From: bjorsch at wikimedia dot org Assigned: cmb (profile)
Status: Closed Package: URL related
PHP Version: 7.4.2 OS: Irrelevant
Private report: No CVE-ID: None
 [2020-01-27 15:14 UTC] bjorsch at wikimedia dot org
------------;a=commit;h=79376ab209f61be03bbf8c1b6177c18261767da8 fixed #78929 by changing the cookie decoding logic to use php_raw_url_decode() rather than php_url_decode(). Unfortunately, it didn't change php_setcookie() to match.

This results in cookie values with spaces failing to round-trip.

Test script:
You already have a test illustrating this behavior at;a=blob;f=ext/standard/tests/network/setcookie.phpt;h=d41bed01f4e9e3866817ef9e3c6aff10dd575ed5;hb=79376ab209f61be03bbf8c1b6177c18261767da8

See lines 10 and 27.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2020-01-27 16:04 UTC]
-Assigned To: +Assigned To: cmb
 [2020-01-28 14:38 UTC]
Automatic comment on behalf of
Log: Fix #79174: cookie values with spaces fail to round-trip
 [2020-01-28 14:38 UTC]
-Status: Assigned +Status: Closed
 [2020-01-28 14:39 UTC]
The fix for this bug has been committed.
If you are still experiencing this bug, try to check out latest source from and re-test.
Thank you for the report, and for helping us make PHP better.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Apr 20 16:01:29 2024 UTC