Duplicate `Set-Cookie` headers on Laravel

Question

Duplicate `Set-Cookie` headers on Laravel

adrianfalleiro opened this issue 8 years ago · comments

When using this HttpKernel adapter with the Laravel bootstrap I am seeing duplicate Set-Cookie headers being sent.

Is this supposed to happen? It doesn't seem to break anything in my testing so far though.

From what I can see, this is occurring because of line 276 of PHPPM\Bridges\HttpKernel in which an array of cookies is being merged with existing Set-Cookie headers on the SymfonyResponse object:

$headers['Set-Cookie'] = array_merge((array)$headers['Set-Cookie'], $cookies);

Does this need to happen? You're already merging $nativeHeaders with all of the SymfonyResponse object headers on line 247:

$headers = array_merge($nativeHeaders, $syResponse->headers->allPreserveCase());

I've created a demo project to show the issue: https://github.com/adrianfalleiro/laravel-5.6-ppm-example

All you need to do is composer install and then ./vendor/bin/ppm start. If you inspect the headers on the home page you should be able to see duplicate Set-Cookie headers sent.

Also for context I am running this on macOS 10.12.6 with PHP 7.2.4 installed (via Homebrew).

Dmytro Dzubenko · Answer 1 · Wed May 02 2018 17:41:02 GMT+0800 (China Standard Time)

And, there must be array_merge_recursive function. So I really don't get why we should merge cookies twice.

Index: Bridges/HttpKernel.php
<+>UTF-8
===================================================================
--- Bridges/HttpKernel.php	(revision 086def550ccf72aee48bd62107cb2aa343cfebf6)
+++ Bridges/HttpKernel.php	(revision 0329324c219a8d892bed2a09fc2e481382e38e6c)
@@ -104,7 +104,7 @@
         if ($this->application instanceof TerminableInterface) {
             $this->application->terminate($syRequest, $syResponse);
         }
-        
+
         if ($this->application instanceof Kernel) {
             $this->application->terminate($syRequest, $syResponse);
         }
@@ -244,34 +244,10 @@
         // operates on a clean header.
         header_remove();
 
-        $headers = array_merge($nativeHeaders, $syResponse->headers->allPreserveCase());
+        $syHeaders = $syResponse->headers->allPreserveCase();
+        $headers = array_merge_recursive($nativeHeaders, $syHeaders);
         $cookies = [];
 
-        /** @var Cookie $cookie */
-        foreach ($syResponse->headers->getCookies() as $cookie) {
-            $cookieHeader = sprintf('%s=%s', $cookie->getName(), $cookie->getValue());
-
-            if ($cookie->getPath()) {
-                $cookieHeader .= '; Path=' . $cookie->getPath();
-            }
-            if ($cookie->getDomain()) {
-                $cookieHeader .= '; Domain=' . $cookie->getDomain();
-            }
-
-            if ($cookie->getExpiresTime()) {
-                $cookieHeader .= '; Expires=' . gmdate('D, d-M-Y H:i:s', $cookie->getExpiresTime()). ' GMT';
-            }
-
-            if ($cookie->isSecure()) {
-                $cookieHeader .= '; Secure';
-            }
-            if ($cookie->isHttpOnly()) {
-                $cookieHeader .= '; HttpOnly';
-            }
-
-            $cookies[] = $cookieHeader;
-        }
-
         if (isset($headers['Set-Cookie'])) {
             $headers['Set-Cookie'] = array_merge((array)$headers['Set-Cookie'], $cookies);
         } else {

After this everything works as expected.

marc j. schmidt · Answer 2 · Wed May 02 2018 17:53:49 GMT+0800 (China Standard Time)

@dzubchik because you completely got rid of all cookies set by Symfony Response instance. AFAIK allPreserveCase() does not build cookie header entries of header->cookies.

marc j. schmidt · Answer 3 · Wed May 02 2018 17:55:32 GMT+0800 (China Standard Time)

oh, well, I just saw, Symfony\Component\HttpFoundation\Cookie has __toString which does it already. 👍

Dmytro Dzubenko · Answer 4 · Wed May 02 2018 17:58:23 GMT+0800 (China Standard Time)

Before this session cookie was not installed.

Adrian Falleiro · Answer 5 · Sat May 05 2018 20:00:44 GMT+0800 (China Standard Time)

@dzubchik When I tested your code block above on a Laravel project authentication fails. I cannot figure out why, but it looks to be failing because the XSRF tokens in the POST body and session do not match.

Instead the below seemed to work for me

 protected function mapResponse(SymfonyResponse $syResponse, $stdout='')
 {
    ...
-  $headers = array_merge($nativeHeaders, $syResponse->headers->allPreserveCase());
+  $headers = array_merge($nativeHeaders, $syResponse->headers->allPreserveCaseWithoutCookies());
    ...    
 }

And then iterating over $syResponse->headers->getCookies() and adding them to the PSR-7 response as it currently does.

I'm not really sure why this works...as allPreserveCase() does exactly the same thing.

Mathieu De Zutter · Answer 6 · Sun Jun 10 2018 17:00:40 GMT+0800 (China Standard Time)

See also #112 for fixing the session cookie. That PR also got rid of duplicate cookies for me.

Mathieu De Zutter · Answer 7 · Tue Jul 31 2018 12:31:39 GMT+0800 (China Standard Time)

This issue should be retested now that #112 has been merged.

Adrian Falleiro · Answer 8 · Tue Jul 31 2018 13:24:41 GMT+0800 (China Standard Time)

Thanks, I’ll retest my original code

andig · Answer 9 · Tue Jul 31 2018 13:26:56 GMT+0800 (China Standard Time)

Please reopen if issue persists.