Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
This is an issue with cookies: when you get multiple response headers with the same name, they are overridden. This is probably what we want for location but for set-cookie this is bad. So says RFC 2109:
Informally, the Set-Cookie response header comprises the token Set-
Cookie:, followed by a comma-separated list of one or more cookies.
Comment | File | Size | Author |
---|---|---|---|
#3 | set_cookie.patch | 883 bytes | chx |
resp.patch | 775 bytes | chx | |
Comments
Comment #1
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedaccording to the cited RFC I believe this to be correct. The patch does apply and does not cause parse errors. ;)
Comment #2
Dries CreditAttribution: Dries commentedPlease add a code comment quoting the relevant bits of the RFC. Like that, we'll be able to understand what is going on.
Comment #3
chx CreditAttribution: chx commentedWell, now I feel this is ready to be commited. I even put a conditional in it, so only Set-Cookie header gets different treatment.
Comment #4
Dries CreditAttribution: Dries commentedWhere did this bug trigger? One could argue that the $header-array (input parameter) is malformed and that it is the caller's problem.
Comment #5
chx CreditAttribution: chx commentedThe $header parameter is something you send out and what this patch affects are the result headers.
This occurs if a site sets more than one cookie which is not unheard of.
Comment #6
Dries CreditAttribution: Dries commentedBut _who_ calls drupal_http_request like that? Where is the culprit that triggered this bug?
Comment #7
chx CreditAttribution: chx commentedTry lynx http://www.paypal.com . You'll get:
www.paypal.com cookie: sc_lucky_value=C8DF7645 Allow? (Y/N/Always/neVer)
www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer)
ww.paypal.com cookie: Apache=80.98.163.54.5329112474109433 Allow? (Y/N/Always/neVer)
So, you need to take care of three Set-Cookie headers. If you take a look at the current code, only the last would be returned.
Comment #8
Dries CreditAttribution: Dries commentedCommitted to HEAD.
Comment #9
curry CreditAttribution: curry commentedComment #10
(not verified) CreditAttribution: commentedComment #11
(not verified) CreditAttribution: commented