当前位置:网站首页>Problem and solution of URLEncode for cookie value by PHP setcookie

Problem and solution of URLEncode for cookie value by PHP setcookie

2020-12-07 15:22:41 A ball for running horses

1. problem

There are the following codes setcookie.php

class Cookie{
    protected $_key = "person";
    protected $_val = "name:ball,sex:male";

    public function set(){
        $duration = 0;
        $path = "/";
        setcookie($this->_key, $this->_val, $duration, $path);
    }   

    public function get(){
        echo $_COOKIE[$this->_key];
    }   
}

Let's call set(), Call again get(). Output on page

name:ball,sex:male

It's supposed to be in line with expectations . But use chrome Of debug Tool View cookie, Find out person The value of is

name%3Aball%2Csex%3Amale

stay console In the implementation of document.cookie, The result is

"person=name%3Aball%2Csex%3Amale"

in other words , although php The side can be set up and get it normally cookie value , But from the browser or js On the side , This cookie It's coded . inconvenient js Use , It's not convenient to check the problem manually cookie.

2. solve

Check the manual , Find out setcookie It's true cookie It's worth it urlencode. How to get around it ? We think of setcookie The essence of is in response header Add Set-Cookie Response head , So I decided to try to use it directly header Method .set() The code is adjusted as follows :

public function set(){
    $str = sprintf("Set-Cookie:%s=%s;path=/", $this->_key, $this->_val);
    header($str);
}  

And then from chrome Side view cookie Medium person Values are as follows , It's not coded .

name:ball,sex:male

3. risk

2 Although the method in has solved cookie The problem of values being encoded , But is there any risk ? The answer is yes . such as , If cookie There's a semicolon in (http Agreement ,Set-Cookie Keywords used to separate key value pairs ), It will produce bug.

To elaborate on the problem , Let's take a look first 2 In the example of response header( Mainly intercepts Set-Cookie part )

Server: nginx/1.4.1
Set-Cookie: person=name:ball,sex:male;path=/
Transfer-Encoding: chunked

Now modify the code

 take 
protected $_val = "name:ball,sex:male";
 Change it to 
protected $_val = "name:ball;sex:male";

response header Turn into

Server: nginx/1.4.1
Set-Cookie: person=name:ball;sex:male;path=/
Transfer-Encoding: chunked

ball The semicolon after will be person Value break , hinder sex:male; The protocol resolves to an unrecognized key value pair , So ignore .

get() Method output and the browser to see person The value also becomes

name:ball

4. Suggest

cookie Value as simple as possible , No special symbols , Even though setcookie the urlencode There won't be any change . If you have to include special characters , Please pay attention to avoid the reserved words of the agreement .

Participation of this paper Tencent cloud media sharing plan , You are welcome to join us , share .

版权声明
本文为[A ball for running horses]所创,转载请带上原文链接,感谢
https://chowdera.com/2020/12/20201207150448276k.html