ID: 34734 Updated by: [EMAIL PROTECTED] Reported By: gustav at cst dot co dot za -Status: Assigned +Status: Bogus Bug Type: *General Issues Operating System: Windows Server 2003 PHP Version: 4.4.0 Assigned To: sesser New Comment:
Version 1 Cookies are not suppoted by PHP Therefore whatever RFC 2965 says is irrelevant If you want version 1 cookie support, then add a feature request Previous Comments: ------------------------------------------------------------------------ [2005-10-04 18:27:58] [EMAIL PROTECTED] Stefan, you had a patch ready? :) ------------------------------------------------------------------------ [2005-10-04 17:38:51] gustav at cst dot co dot za Description: ------------ This bug was classified "Won't fix" before, because according to [EMAIL PROTECTED], it would not be backwards compatible with the netscape cookie specification. See <a href="http://bugs.php.net/bug.php?id=32827">#32827</a> for details. However, [EMAIL PROTECTED]'s interpretation of the netscape cookie standard is incompatible with the HTTP protocol specification and the "HTTP State Management Mechanism" specification. "Backwards compatability" in this case breaks more than it fixes. See <a href="http://bugs.php.net/bug.php?id=32966">#32966</a> and <a href="http://bugs.php.net/bug.php?id=32111">#32111</a> for details. The problem I encountered is the same as #32966. I get two "Cookie:" headers which are then combined into one by seperating them with a comma. This breaks the session id. Now my motivation for why cookies *must* be allowed to be comma seperated: In both the HTTP/1.0 and HTTP/1.1 protocol specifications (RFCs 1945 and 2068) it is stated in section 4.2 (Message Headers) that: Multiple HTTP-header fields with the same field-name may be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It must be possible to combine the multiple header fields into one "field- name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. Also, in the "HTTP State Management Mechanism" specification (RFC 2965) section 3.3.4 (Sending Cookies to the Origin Server) defines the syntax of the cookie header as: cookie = "Cookie:" cookie-version 1*((";" | ",") cookie-value) Thereby showing that plain commas imply a seperate cookie. Reproduce code: --------------- Using a raw telnet session to IIS running PHP: GET / HTTP/1.0 Host: myhost.somewhere.com Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45 Cookie: $Version="1"; id="8"; Expected result: ---------------- No error. Actual result: -------------- session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=34734&edit=1