#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: yoy dot noneoff at dfgh dot net Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. Previous Comments: [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: judas dot iscariote at gmail dot com Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: PHP implements the netscape spec, **not** the RFC one When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes Servers should not expect clients to be able to exceed these limits In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging harder. Previous Comments: [2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: judas dot iscariote at gmail dot com Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch Previous Comments: [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: yoy dot noneoff at dfgh dot net Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: ie7 increased the number of cookies per domain from 20 to 50, like other browsers. so why not limiting php to set max 20 cookies per domain like NS mention? Netscape also follow these rfc if the client ignore part of the cookie it's not PHP concern. what if I built an application follow the rfc and php artificially limiting me? Previous Comments: [2007-11-16 08:51:31] crrodriguez+php at suse dot de also imagine the following code setcookie (foo, $_GET['reallybigdata']) it can also exausts the PHP process or system memory(dependding on the memory limit)for no gain because the browser will truncate it anyway. [2007-11-16 08:23:38] judas dot iscariote at gmail dot com PHP implements the netscape spec, **not** the RFC one When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes Servers should not expect clients to be able to exceed these limits In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging harder. [2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
#43311 [Com]: setcookie should not be able to set cookies larger than 4096 bytes
ID: 43311 Comment by: crrodriguez+php at suse dot de Reported By: crrodriguez at suse dot de Status: Open Bug Type: *General Issues Operating System: Irrelevant PHP Version: 5.3CVS-2007-11-16 (CVS) New Comment: also imagine the following code setcookie (foo, $_GET['reallybigdata']) it can also exausts the PHP process or system memory(dependding on the memory limit)for no gain because the browser will truncate it anyway. Previous Comments: [2007-11-16 08:23:38] judas dot iscariote at gmail dot com PHP implements the netscape spec, **not** the RFC one When a cookie larger than 4 kilobytes is encountered the cookie should be trimmed to fit, but the name should remain intact as long as it is less than 4 kilobytes Servers should not expect clients to be able to exceed these limits In the case of PHP, sending a cookie bigger than 4kb is useless because no browser will use it correctly, and truncating it without emitting any warning just makes debugging harder. [2007-11-16 08:17:45] yoy dot noneoff at dfgh dot net http://www.faqs.org/rfcs/rfc2109 http://www.faqs.org/rfcs/rfc2965 RFCS linked from the setcookie function docs ... * at least 300 cookies * at least 4096 bytes per cookie (as measured by the characters that comprise the cookie non-terminal in the syntax description of the Set-Cookie2 header, and as received in the Set-Cookie2 header) ... keyword:at least so basicly php should not limit cookie length, it up to the client/browser how to handle it. [2007-11-16 03:26:53] judas dot iscariote at gmail dot com corrected/working patch is here now (previuos had errors ..I should test patches before submitting them :) ) http://www.flyspray.org/patches/setcookie-4096btyesonly.patch [2007-11-16 01:30:40] crrodriguez at suse dot de Description: The following report caught my attention http://www.securityfocus.com/archive/1/483705 That is indeed a bug in Konqueror, but if you look the reproduce code it says. Reproduce code: --- ?php ini_set(memory_limit,200M); setcookie(hi_fox, str_repeat(A,1999)); ? Expected result: PHP limiting the cookie size to what both the spec says and other browsers do, that is name_len + value_len not larger than 4096 bytes. http://www.15seconds.com/faq/Cookies/388.htm http://wp.netscape.com/newsref/std/cookie_spec.html E-Warning Cookie cannot store more than %d bytes of data Actual result: -- PHP setting a 200MB cookie anyway. patch here : http://rafb.net/p/zs0ojA57.html -- Edit this bug report at http://bugs.php.net/?id=43311edit=1
