1

A centain web client that I need to support, is sending back the Cookies header to my application twice in the HTTP headers, this in turn is making PHP unable to read the correct value for the cookie thus ignoring the session.

Here is the relevant part of the request I am seeing:

GET / HTTP/1.1
Cache-Control: max-age=0
Accept-Language: en-US
Cookie: PHPSESSID=49af82ddf12740e6a35b15985e93d91a
Connection: Keep-Alive
Cookie: PHPSESSID=49af82ddf12740e6a35b15985e93d91a
[...] Other irrelevant headers

I have two questions:

Is that a PHP bug? or is the behavior undefined when the client sends that same header twice?

Is there a quick workaround to make things work without having to manually parse the HTTP headers so I can read the right value of the cookie (and session) in my application? Or should I manually parse the HTTP header to set the session to its correct value?

1
  • What server software are you using? Commented Dec 29, 2011 at 12:14

1 Answer 1

1

According to the HTTP spec, a double header simply concatenates the values together with a comma, making it:

Cookie: PHPSESSID=49af82ddf12740e6a35b15985e93d91a, PHPSESSID=49af82ddf12740e6a35b15985e93d91a

PHP should be able to parse the cookies, but the behavior of sessions is undefined when there are two session IDs.

I strongly recommend fixing the client. If that's not an option, you'll have to parse the headers manually.

Sign up to request clarification or add additional context in comments.

4 Comments

Thanks, I'll try to see if the client can be quickly fixed
I was unable to find the reference in the spec that describes this behavior, can you link me up?
Multiple message-header fields with the same field-name MAY be present in a message if and only if the entire field-value for that header field is defined as a comma-separated list [i.e., #(values)]. It MUST be possible to combine the multiple header fields into one "field-name: field-value" pair, without changing the semantics of the message, by appending each subsequent field-value to the first, each separated by a comma. Section 4.2
Thanks @Tom the client's vendor has since acknowledged the problem is from their side and is working on a patch.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.