This is an issue with cookies: when you get multiple response headers with the same name, they are overridden. This is probably what we want for location but for set-cookie this is bad. So says RFC 2109:

Informally, the Set-Cookie response header comprises the token Set-
Cookie:, followed by a comma-separated list of one or more cookies.
CommentFileSizeAuthor
#3 set_cookie.patch883 byteschx
resp.patch775 byteschx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

killes@www.drop.org’s picture

killes@www.drop.org CreditAttribution: killes@www.drop.org commented
Status: Needs review » Reviewed & tested by the community

according to the cited RFC I believe this to be correct. The patch does apply and does not cause parse errors. ;)

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Needs work

Please add a code comment quoting the relevant bits of the RFC. Like that, we'll be able to understand what is going on.

chx’s picture

chx CreditAttribution: chx commented
Status: Needs work » Reviewed & tested by the community
FileSize
set_cookie.patch883 bytes

Well, now I feel this is ready to be commited. I even put a conditional in it, so only Set-Cookie header gets different treatment.

Dries’s picture

Dries CreditAttribution: Dries commented

Where did this bug trigger? One could argue that the $header-array (input parameter) is malformed and that it is the caller's problem.

chx’s picture

chx CreditAttribution: chx commented

The $header parameter is something you send out and what this patch affects are the result headers.

This occurs if a site sets more than one cookie which is not unheard of.

Dries’s picture

Dries CreditAttribution: Dries commented

But _who_ calls drupal_http_request like that? Where is the culprit that triggered this bug?

chx’s picture

chx CreditAttribution: chx commented

Try lynx http://www.paypal.com . You'll get:

www.paypal.com cookie: sc_lucky_value=C8DF7645 Allow? (Y/N/Always/neVer)
www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer)
ww.paypal.com cookie: Apache=80.98.163.54.5329112474109433 Allow? (Y/N/Always/neVer)

So, you need to take care of three Set-Cookie headers. If you take a look at the current code, only the last would be returned.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to HEAD.

curry’s picture

curry CreditAttribution: curry commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Anonymous’s picture

(not verified) CreditAttribution: commented
Status: Fixed » Closed (fixed)