Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 1.6.0a3

Request #9187 Adding httponly to setcookie/setrawcookie (new in php 5.2)
Submitted: 2006-10-28 01:59 UTC
From: neufeind Assigned: aidan
Status: Closed Package: PHP_Compat (version CVS)
PHP Version: Irrelevant OS:
Roadmaps: 1.6.0a1    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 2 + 5 = ?

 
 [2006-10-28 01:59 UTC] neufeind (Stefan Neufeind)
Description: ------------ Starting with php 5.2 (according to Ilia's blog) there will be the $httponly-parameter for setcookie/setrawcookie. Since a workaround exists to make httponly also work with php before 5.2 that's where php_compat might come into play. Backgrounds on httponly: http://ilia.ws/archives/121-httpOnly-cookie-flag-support-in-PHP-5.2.html http://blog.php-security.org/archives/40-httpOnly-Cookies-in-Firefox-2.0.html http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html

Comments

 [2006-10-28 02:01 UTC] neufeind at php dot net (Stefan Neufeind)
Suggested as setcookie.php. NOTE: untested - please do a quick check in case this is committed. Also please fix/remove the @require. <?php // +----------------------------------------------------------------------+ // | PHP Version 4 | // +----------------------------------------------------------------------+ // | Copyright (c) 1997-2004 The PHP Group | // +----------------------------------------------------------------------+ // | This source file is subject to version 3.0 of the PHP license, | // | that is bundled with this package in the file LICENSE, and is | // | available at through the world-wide-web at | // | http://www.php.net/license/3_0.txt. | // | If you did not receive a copy of the PHP license and are unable to | // | obtain it through the world-wide-web, please send a note to | // | license@php.net so we can mail you a copy immediately. | // +----------------------------------------------------------------------+ // | Author: Stefan Neufeind <neufeind@php.net> | // +----------------------------------------------------------------------+ // // $Id: $ /** * Replace setcookie() * * @category PHP * @package PHP_Compat * @link http://php.net/function.setcookie * @author Stefan Neufeind <neufeind@php.net> * @version $Revision: $ * @internal native support for including httponly-argument as of PHP 5.2.0 * @since PHP 5.2.0 * @require PHP 4.x ??? */ function php_compat_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { // following the idea on Matt Mecham's blog // http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html setcookie($name, $value, $expire, $path, $domain.'; HttpOnly', $secure); } /** * Replace setrawcookie() * * @category PHP * @package PHP_Compat * @link http://php.net/function.setcookie * @author Stefan Neufeind <neufeind@php.net> * @version $Revision: $ * @internal native support for including httponly-argument as of PHP 5.2.0 * @since PHP 5.2.0 * @require PHP 4.x ??? */ function php_compat_setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { // following the idea on Matt Mecham's blog // http://blog.mattmecham.com/archives/2006/09/http_only_cookies_without_php.html setrawcookie($name, $value, $expire, $path, $domain.'; HttpOnly', $secure); } if ( PHP_VERSION < 5.2 ) function setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { return php_compat_setcookie($name, $value, $expire, $path, $domain, $secure, $httponly) } function setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) { return php_compat_setrawcookie($name, $value, $expire, $path, $domain, $secure, $httponly) } } ?>
 [2006-12-14 06:01 UTC] aidan (Aidan Lister)
I've added the two files for setcookie and setrawcookie. Note: The setrawcookie function should make use of the header function to avoid the values being urlencoded. I'll add this as a todo.