SetCookie errors

I had a hard time finding why my cookie wasn't being set because of:

if(strlen($this->SetCookie($cookie_name, $cookie_value, $expires, $path , $domain, $secure, 1)))
$this->error="";

If you don't want to fail on not being able to set cookies maybe add a warning message in your class along with the error message and only fail if $this->error !== "".

Also the domain "localhost" fails your domain name validation check. Here is my fix in the SetCookie function:

if($domain!="localhost"
&& ($domain==""
|| !strpos($domain,".",$domain[0]=="." ? 1 : 0))
)

I am not sure if you even need this check because on internal LANs can you name domains single words also? I'm not sure about that one.


Regards,
Kepler Gelotte
neighborwebmaster.com

The cookies RFC states that the cookie domain must have at least one embedded dot for security reasons. I can issue an error log entry if that helps.

ietf.org/rfc/rfc2965.txt

From the RFC:

A user agent rejects (SHALL NOT store its information) if the Version
attribute is missing. Moreover, a user agent rejects (SHALL NOT
store its information) if any of the following is true of the
attributes explicitly present in the Set-Cookie2 response header:

...

The value for the Domain attribute contains no embedded dots,
and the value is not .local.


So it looks like localhost is Ok. By the way my FireFox browser stores the cookie under "localhost".

Sorry, that is the newer RFC for SetCookie2. For SetCookie the right RFC is here which was less restrictive:

ietf.org/rfc/rfc2109.txt

Anyway, localhost does not contain any embedded dots nor starts with a dot, so any cookies should be rejected.

The fact that Firefox accepts localhost cookies, does not make it right. Maybe they have opened an exception to localhost cookies because many developers use localhost pseudo domain to test their applications.