Cookie parsing strictness
kelunik opened this issue · comments
Currently we're pretty strict about cookie parsing and return an empty cookie array if any cookie contains invalid data. Maybe we should change this, but it might result in security issues depending on the cookie.
Is there any real gain from this? Does it expose any real world issues?
I hit this issue because some cookies from another application where present on localhost
, probably not that important on deployed applications.
Is there any real gain from this? Does it expose any real world issues?
I ran into a problem that one of the sites was returning a cookie with a value containing spaces. As a result, this cookie was ignored and I received information on the site that was not what I wanted. If I add $value = urlencode($value)
before preg_match(..., $value)
to Amp\Http\Cookie::_construct()
then the behavior becomes normal.