ID: 32802
User updated by: ast at gmx dot ch
Reported By: ast at gmx dot ch
Status: Open
Bug Type: HTTP related
Operating System: *
PHP Version: 4.*, 5.*
New Comment:
Your reproduce script does not describe this bug.
Your script describes a Server -> Browser issue.
This bug is about a Browser -> Server issue. The browser sends a Cookie
HTTP header with its request to the server.
The Cookie HTTP request header lists the cookies in the right order.
Cookies with more specific paths precede cookies with less specific
paths in the header string.
PHP populates the superglobal $_COOKIE with the wrong values when
reading/evaluating the Cookie HTTP header.
This The following reproduce script shows the PHP bug.
Please place it into document_root / test.
<?php
/* This script has to be executed in document_root/test/ or deeper */
/* set the first cookie with path '/' */
if (!isset($_COOKIE['TestCookie'])) {
setcookie("TestCookie", "Value1", time()+3600, "/");
header("Location: {$_SERVER['PHP_SELF']}");
exit();
}
/*
* set second cookie, with a more specific path, actually, the order in
which the cookies are set
* is irrelevant
*/
if (!strpos($_SERVER['HTTP_COOKIE'], 'Value2')) {
setcookie("TestCookie", "Value2", time()+3600, "/test");
header("Location: {$_SERVER['PHP_SELF']}");
exit();
}
echo '$_COOKIE[\'TestCookie\'] should have the value \'Value2\' because
it\'s the value of the cookie with the more specific path.<pre>';
var_dump($_COOKIE);
echo '</pre><br>';
echo '$_SERVER[\'HTTP_COOKIE\'] lists the cookies in the correct order,
Value2 before Value1. It conforms to RFC 2965.<pre>';
var_dump($_SERVER['HTTP_COOKIE']);
echo '</pre>';
?>
Previous Comments:
------------------------------------------------------------------------
[2005-04-24 14:01:21] [EMAIL PROTECTED]
Reproduce script:
<?php
setcookie("TestCookie", "Value1", time()+3600, "/test/");
setcookie("TestCookie", "Value2", time()+3600, "/");
if (!isset($_COOKIE['TestCookie'])) {
header("Location: {$_SERVER['PHP_SELF']}");
exit();
}
echo '<pre>';
var_dump($_COOKIE);
var_dump($_SERVER['HTTP_COOKIE']);
echo '</pre>';
?>
------------------------------------------------------------------------
[2005-04-24 03:21:37] ast at gmx dot ch
Here is a fix for my application.
/**
* Fix the superglobal $_COOKIE to conform with RFC 2965
*
* We don't use $_COOKIE[$cookiename], because it doesn't conform
to RFC 2965 (the
* cookie standard), i.e. in $_COOKIE, we don't get the cookie with
the most specific path for
* a given cookie name, we get the cookie with the least specific
cookie path.
* This function does it exactly the other way around to conform
with the RFC.
*
* This function reevaluates the HTTP Cookie header and populates
$_COOKIE with the correct
* cookies.
*
* @static
*/
function fixCookieVars() {
if (isset($_SERVER['HTTP_COOKIE']) &&
!empty($_SERVER['HTTP_COOKIE'])) {
$allCookies = explode(';', $_SERVER['HTTP_COOKIE']);
/*
* Get rid of less specific cookies if multiple cookies with
the same
NAME
* are present. Do this by going from left/first cookie to
right/last
cookie.
*/
/* Reset the $_COOKIE array */
$_COOKIE = array();
/* Repopulate it, but now correctly */
foreach ($allCookies as $cookie) {
/* Split NAME [=VALUE], value is optional */
$cookie = explode('=', $cookie);
$key = preg_replace('|\s|', '', $cookie[0]);
$value = isset($cookie[1]) ? $cookie[1] : '';
if (!isset($_COOKIE[$key])) {
$_COOKIE[$key] = $value;
}
}
}
}
}
------------------------------------------------------------------------
[2005-04-24 00:43:04] ast at gmx dot ch
the bug report that was closed as bogus (sorry, forgot to add the link.
originally, i wanted to add a comment there, but you can't add comments
to bugs that are marked as "bogus".
http://bugs.php.net/bug.php?id=18337
obviously, this isn't "bogus", as php doesn't comply with the RFC 2965
(and all common browsers comply with this RFC concerning the order of
the cookies).
How to reproduce:
See Example 2 of RFC 2965:
2 cookies, with the same NAME, but a different PATH.
It's about the precedence of cookies. Cookies with a more specific path
have precedence over cookies with less specific paths.
See Example 2 of the RFC, it's nicely explained there.
------------------------------------------------------------------------
[2005-04-23 22:05:01] [EMAIL PROTECTED]
And can you please add a short example script which CLEARLY
demonstrates the problem. (I don't know why but I can't get multiple
cookies set with same name..)
------------------------------------------------------------------------
[2005-04-23 20:50:14] [EMAIL PROTECTED]
Exactly what bug did Ilia close? And why are you submitting a new
report if one exists already?
------------------------------------------------------------------------
The remainder of the comments for this report are too long. To view
the rest of the comments, please view the bug report online at
http://bugs.php.net/32802
--
Edit this bug report at http://bugs.php.net/?id=32802&edit=1
