#21182 closed defect (bug) (fixed)
WP_HTTP_Cookie doesn't handle the default conditions for the 'domain' and 'path' field correctly.
Reported by: |
|
Owned by: |
|
---|---|---|---|
Milestone: | 3.7 | Priority: | low |
Severity: | minor | Version: | |
Component: | HTTP API | Keywords: | has-patch commit |
Focuses: | Cc: |
Description
WP_HTTP_Cookie currently handles "simple" cookies in exactly the same way they're received, that is, it only fills in the details that the set-cookie header contained.
However, some fields are optional, and as a result of this, the rfc for state management specifies a set of default values for certain fields:
4.3.1 Interpreting Set-Cookie The user agent keeps separate track of state information that arrives via Set-Cookie response headers from each origin server (as distinguished by name or IP address and port). The user agent applies these defaults for optional attributes that are missing: VersionDefaults to "old cookie" behavior as originally specified by Netscape. See the HISTORICAL section. Domain Defaults to the request-host. (Note that there is no dot at the beginning of request-host.) Max-AgeThe default behavior is to discard the cookie when the user agent exits. Path Defaults to the path of the request URL that generated the Set-Cookie response, up to, but not including, the right-most /. Secure If absent, the user agent may send the cookie over an insecure channel.
We currently don't do anything special for Secure cookies (From what I can see), but we also need to handle the 'domain' and 'path' field defaults better, as currently they remain at the default null if nothing is passed. This can result in domains passing the WP_HTTP_Cookie::test() method to a different domain or path than they were issued on.
Example cookie values (and WP_HTTP_Cookie representations) which can trigger this:
PHPSESSID=ros1liponkqip23k9le0hhmp31; path=/' (length=44) test=1341632838; expires=Sat, 07-Jul-2012 04:47:18 GMT array (size=2) 0 => object(WP_Http_Cookie)[87] public 'name' => string 'PHPSESSID' (length=9) public 'value' => string 'ros1liponkqip23k9le0hhmp31' (length=26) public 'expires' => null public 'path' => string '/' (length=1) public 'domain' => null 1 => object(WP_Http_Cookie)[86] public 'name' => string 'test' (length=4) public 'value' => string '1341632838' (length=10) public 'expires' => int 1341636438 public 'path' => null public 'domain' => null
This is not a issue for WordPress core, but could affect plugins who do anything special with Cookies.
Attachments (4)
Change History (11)
#1
@
12 years ago
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
#3
@
12 years ago
Attachment 21182.2.diff added
This is 21182.diff minus the code for #17588
Needs testing that cookies pass between requests correctly and that they overwrite/update each other correctly
#4
@
12 years ago
- Milestone changed from Future Release to 3.7
Moved passing cookies to further locations on redirects to #24987
This builds off 17588.2.diff for #17588 and adds full Cookie Support to the HTTP API.
Still doesn't handle anything to do with the Secure parameter, or HTTPOnly parameter (not that the latter is of concern to us).