Closed robertovernina closed 5 years ago
Hi @robertovernina, thanks for your report. I've been thinking about this library and I'm afraid RequestCookies
is not super useful. It doesn't add much value besides a value object to work with. The only thing that's important is adding cookies to a response I guess. I know about the array syntax but I don't think that's standard HTTP stuff? My thoughts, just drop the RequestCookies
, ResponseCookies
& Signer
... and focus on the adding cookies to a response part.
@hansott thanks for your reply and for thinking about this issue. You're right: cookies in the Request object should be read-only, and they should be easily read from the Request without wrapping them into a value object. I might consider stopping using that factory in my implementation, as you plan to drop that from the library anyway. Thanks a lot!
The Cookie class constructor accepts only strings as cookie $value, but there are cases where it could get an array. For example, if a cookie is sent like this:
In this case, PHP is converting the cookie header value into an array; so, the ServerRequestInterface::getCookieParams() method returns this:
This causes RequestCookies::createFromRequest() to fail when creating a new Cookie() object for each cookie header set into the ServerRequestInterface object; that's because an array it's passed instead of a string, for argument 2. I would recommend to keep an eye on data sanitisation when fixing it, as this could possibly lead to code injection from malicious requests.