Hello all,
On a pull request submitted via github, it was suggested to me that I
should write an RFC about the feature that I'm proposing as well as to
write about it here on the internals mail list.
However, creating new pages (including RFCs) on wiki.php.net doesn't
seem to be allowed for non-priviled users, so I'm forced to skip that
part.
The PR in question is located at the URL below, but note that I'm no C
coder and while I did test it, I'm in no way confident that it should
be implemented as is. The changes just seemed simple enough to do, so
I went with it. If not anything else, you should be able to understand
it more easily.
https://github.com/php/php-src/pull/238
What I'm proposing is that setcookie(), setrawcookie() and ext/session
should send the Max-Age attribute in the Set-Cookie header, as
described in RFC2109, RFC2965, RFC6265.
As shown in the subject, the absence of this attribute in
PHP-generated Set-Cookie headers is also listed as a bug:
https://bugs.php.net/bug.php?id=23955
Another one also related: https://bugs.php.net/bug.php?id=43439
In summary - it specifies the cookie lifetime in seconds, starting
from the current time. This means that it's a better solution than the
Expires attribute, as the user agent doesn't need to worry about
timezones and basically - it doesn't matter if its time settings are
correct.
It should also be noted that 0 (zero) or any negative value means that
the cookie should be immediately dropped.
Erroneous time settings is a problem for many users and for the
developers of web applications that they report this supposedly as a
bug and since I've personally faced such reports, I can tell - it's
really hard to debug and/or figure out the problem at first.
Considering this, I can imagine that this feature would solve a lot of
problems.
The listed RFCs specify that both Expires and Max-Age are optional
attributes, but due to the latter being relatively new - it might not
be supported by all browsers. Those that don't will ignore it, BUT
those that do - will give it a higher precedence.
To me, that makes it perfectly safe to send both Expires and Max-Age,
whenever the cookie lifetime has to be specified.
I've taken the chance to also switch the rest of the currently sent
attributes from all-lowercase to the so called StudlyCaps presentation
(e.g. expires -> Expires). Browsers should all match them in a
case-insensitive manner, but all of the RFCs list them as proposed. In
other words - this is irrelevant, why not do it for the sake of
consistency?
Btw, since the patch is against 'master', while compiling it appeared
that it's PHP 5.5 code in that branch. That's not intentional on my
part - if it was up to me, I'd include it in the very next release. :)
Cheers,
Andrey.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php