Fixes setcookie to only send one Set-Cookie header per name #849
Conversation
According to the IETF RFC 6265, only one Set-Cookie header should be sent per cookie name. Fixes #67736 Cherry-picks and adapts 208deda for master
| @@ -92,6 +93,13 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t | |||
| return FAILURE; | |||
| } | |||
|
|
|||
| if (zend_hash_exists(SG(cookies), z_name) == 1) { | |||
| php_error_docref(NULL TSRMLS_CC, E_WARNING, "should not be used twice with the same name"); | |||
There was a problem hiding this comment.
it's better also print the duplicated cookie name here
There was a problem hiding this comment.
Sure, I'll see how I can phrase this.
Le 28 sept. 2014 07:38, "Xinchen Hui" notifications@github.com a écrit :
In ext/standard/head.c:
@@ -92,6 +93,13 @@ PHPAPI int php_setcookie(char *name, int name_len, char *value, int value_len, t
return FAILURE;
}
- if (zend_hash_exists(SG(cookies), z_name) == 1) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "should not be used twice with the same name");it's better also print the duplicated cookie name here
—
Reply to this email directly or view it on GitHub
https://github.com/php/php-src/pull/849/files#r18127724.
|
This is still not an actual bug. Although RFC 6265 says
The meaning of 'Should not' explicitly means that the behaviour is not forbidden.
I don't believe giving a warning is appropriate behaviour either. If people need that safety built into their session management, they can easily build that protection in userland. |
|
Since the author seems to have abandoned working on this (no response to very old previous comment), I'm closing this PR. Please take this action as encouragement to open a clean PR that deals with the comments made here. |
According to the IETF RFC 6265, only one Set-Cookie header should be sent per cookie name.
Fixes https://bugs.php.net/bug.php?id=67736
Cherry-picks and adapts 208deda (#795) for master