Issue status update for http://drupal.org/node/28629 Post a follow up: http://drupal.org/project/comments/add/28629 Project: Drupal Version: cvs Component: base system Category: bug reports Priority: critical Assigned to: chx Reported by: chx Updated by: chx Status: patch (ready to be committed) Try lynx http://www.paypal.com . You'll get: www.paypal.com cookie: sc_lucky_value=C8DF7645 Allow? (Y/N/Always/neVer) www.paypal.com cookie: cookie_check=yes Allow? (Y/N/Always/neVer) ww.paypal.com cookie: Apache=80.98.163.54.5329112474109433 Allow? (Y/N/Always/neVer) So, you need to take care of three Set-Cookie headers. If you take a look at the current code, only the last would be returned. chx Previous comments: ------------------------------------------------------------------------ Wed, 10 Aug 2005 17:42:33 +0000 : chx Attachment: http://drupal.org/files/issues/resp.patch (775 bytes) This is an issue with cookies: when you get multiple response headers with the same name, they are overridden. This is probably what we want for location but for set-cookie this is bad. So says RFC 2109: " Informally, the Set-Cookie response header comprises the token Set- Cookie:, followed by a comma-separated list of one or more cookies. " ------------------------------------------------------------------------ Wed, 10 Aug 2005 18:05:04 +0000 : killes@www.drop.org according to the cited RFC I believe this to be correct. The patch does apply and does not cause parse errors. ;) ------------------------------------------------------------------------ Thu, 11 Aug 2005 07:28:06 +0000 : Dries Please add a code comment quoting the relevant bits of the RFC. Like that, we'll be able to understand what is going on. ------------------------------------------------------------------------ Thu, 18 Aug 2005 05:13:14 +0000 : chx Attachment: http://drupal.org/files/issues/set_cookie.patch (883 bytes) Well, now I feel this is ready to be commited. I even put a conditional in it, so only Set-Cookie header gets different treatment. ------------------------------------------------------------------------ Thu, 18 Aug 2005 21:43:53 +0000 : Dries Where did this bug trigger? One could argue that the $header-array (input parameter) is malformed and that it is the caller's problem. ------------------------------------------------------------------------ Thu, 18 Aug 2005 23:02:52 +0000 : chx The $header parameter is something you send out and what this patch affects are the result headers. This occurs if a site sets more than one cookie which is not unheard of. ------------------------------------------------------------------------ Mon, 22 Aug 2005 19:34:04 +0000 : Dries But _who_ calls drupal_http_request like that? Where is the culprit that triggered this bug?