SetCookie: leading dot in domain

Open bohdanly opened this issue 10 years ago • 1 comments

I have an issue with SetCookie::isValidForRequest(). There is an unexpected behavior with cookies, while requesting. The problem is that SetCookie for "**.**example.com" do not applying to "www.example.com" or even to "example.com".

Due to RFC6265-4.1.2.3 it must pass cookie with domain "**.**example.com" if "www.example.com" or "example.com" is requested.

if ($this->getDomain() && (strrpos($requestDomain, $this->getDomain()) === false)) {
    return false;
}

I saw that SetCookie refers to RFC2109 but it's too old (1997).

Prior to this document (RFC6265), there were at least three descriptions of
cookies: the so-called "Netscape cookie specification" [Netscape],
RFC 2109 [RFC2109], and RFC 2965 [RFC2965].  However, none of these
documents describe how the Cookie and Set-Cookie headers are actually
used on the Internet (see [Kri2001] for historical context).  In
relation to previous IETF specifications of HTTP state management
mechanisms, this document requests the following actions:

1.  Change the status of [RFC2109] to Historic (it has already been
   obsoleted by [RFC2965]).

2.  Change the status of [RFC2965] to Historic.

3.  Indicate that [RFC2965] has been obsoleted by this document.

In cases:

(strrpos("www.example.com", ".example.com") === false)
(strrpos("example.com", ".example.com") === false)

must return false to prevent method return false.

Solution is to use "." . ltrim($domain, ".")

if ($this->getDomain()) {
    if (strrpos(('.' . ltrim($requestDomain, '.')), ('.' . ltrim($this->getDomain(), '.'))) === false) {
        return false;
    }
}

Some tests:

$foo = function($value) {
    return '.' . ltrim($value, '.');
}

`#`	`$domain`	`$requested`	`$foo($domain)`	`$foo($requested)`	`will apply`
`1`	`test.com`	`test.com`	`.test.com`	`.test.com`	`yes`
`2`	`.test.com`	`test.com`	`.test.com`	`.test.com`	`yes`
`3`	`www.test.com`	`test.com`	`.www.test.com`	`.test.com`	`no`
`4`	`.www.test.com`	`test.com`	`.www.test.com`	`.test.com`	`no`
`5`	`faketest.com`	`test.com`	`.faketest.com`	`.test.com`	`no`
`6`	`test.com`	`www.test.com`	`.test.com`	`.www.test.com`	`yes`
`7`	`.test.com`	`www.test.com`	`.test.com`	`.www.test.com`	`yes`
`8`	`www.test.com`	`www.test.com`	`.www.test.com`	`.www.test.com`	`yes`
`9`	`.www.test.com`	`www.test.com`	`.www.test.com`	`.www.test.com`	`yes`
`10`	`faketest.com`	`www.test.com`	`.faketest.com`	`.www.test.com`	`no`
`11`	`test.com`	`foo.test.com`	`.test.com`	`.foo.test.com`	`yes`
`12`	`.test.com`	`foo.test.com`	`.test.com`	`.foo.test.com`	`yes`
`13`	`www.test.com`	`foo.test.com`	`.www.test.com`	`.foo.test.com`	`no`
`14`	`.www.test.com`	`foo.test.com`	`.www.test.com`	`.foo.test.com`	`no`
`15`	`faketest.com`	`foo.test.com`	`.faketest.com`	`.foo.test.com`	`no`

Jun 22 '15 22:06 bohdanly

This repository has been closed and moved to laminas/laminas-http; a new issue has been opened at https://github.com/laminas/laminas-http/issues/28.

Dec 31 '19 22:12 weierophinney