ID: 43311
Comment by: yoy dot noneoff at dfgh dot net
Reported By: crrodriguez at suse dot de
Status: Open
Bug Type: *General Issues
Operating System: Irrelevant
PHP Version: 5.3CVS-2007-11-16 (CVS)
New Comment:
ie7 increased the number of cookies per domain from 20 to 50, like
other browsers.
so why not limiting php to set max 20 cookies per domain like NS
"mention"?
Netscape also follow these rfc
if the client ignore part of the cookie it's not PHP concern.
what if I built an application follow the rfc and php artificially
limiting me?
Previous Comments:
------------------------------------------------------------------------
[2007-11-16 08:51:31] crrodriguez+php at suse dot de
also imagine the following code
setcookie ("foo", $_GET['reallybigdata'])
it can also exausts the PHP process or system memory(dependding on the
memory limit)for no gain because the browser will truncate it anyway.
------------------------------------------------------------------------
[2007-11-16 08:23:38] judas dot iscariote at gmail dot com
PHP implements the netscape spec, **not** the RFC one
"When a cookie larger than 4 kilobytes is encountered the cookie should
be trimmed to fit, but the name should remain intact as long as it is
less than 4 kilobytes"
"Servers should not expect clients to be able to exceed these limits"
In the case of PHP, sending a cookie bigger than 4kb is useless because
no browser will use it correctly, and truncating it without emitting any
warning just makes debugging harder.
------------------------------------------------------------------------
[2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net
http://www.faqs.org/rfcs/rfc2109
http://www.faqs.org/rfcs/rfc2965
RFCS linked from the setcookie function docs
"
...
* at least 300 cookies
* at least 4096 bytes per cookie (as measured by the characters
that comprise the cookie non-terminal in the syntax
description
of the Set-Cookie2 header, and as received in the Set-Cookie2
header)
...
"
keyword:at least
so basicly php should not limit cookie length, it up to the
client/browser how to handle it.
------------------------------------------------------------------------
[2007-11-16 03:26:53] judas dot iscariote at gmail dot com
corrected/working patch is here now (previuos had errors ..I should
test patches before submitting them :) )
http://www.flyspray.org/patches/setcookie-4096btyesonly.patch
------------------------------------------------------------------------
[2007-11-16 01:30:40] crrodriguez at suse dot de
Description:
------------
The following report caught my attention
http://www.securityfocus.com/archive/1/483705
That is indeed a bug in Konqueror, but if you look the "reproduce code"
it says.
Reproduce code:
---------------
<?php
ini_set("memory_limit","200M");
setcookie("hi_fox", str_repeat("A",19999999));
?>
Expected result:
----------------
PHP limiting the cookie size to what both the spec says and other
browsers do, that is name_len + value_len not larger than 4096 bytes.
http://www.15seconds.com/faq/Cookies/388.htm
http://wp.netscape.com/newsref/std/cookie_spec.html
E-Warning "Cookie cannot store more than %d bytes of data"
Actual result:
--------------
PHP setting a 200MB cookie anyway.
patch here : http://rafb.net/p/zs0ojA57.html
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=43311&edit=1
