search

hansott / psr7-cookies

🍪 bakes cookies for PSR-7 messages
https://hansott.github.io
MIT License
40 stars 4 forks source link

Array in cookies #5

Closed robertovernina closed 5 years ago

robertovernina commented 5 years ago

The Cookie class constructor accepts only strings as cookie $value, but there are cases where it could get an array. For example, if a cookie is sent like this:

curl -v -k --cookie "array_name[0]=someValue" http://127.0.0.1:5000

In this case, PHP is converting the cookie header value into an array; so, the ServerRequestInterface::getCookieParams() method returns this:

Array
(
    [array_name] => Array
        (
            [0] => someValue
        )

)

This causes RequestCookies::createFromRequest() to fail when creating a new Cookie() object for each cookie header set into the ServerRequestInterface object; that's because an array it's passed instead of a string, for argument 2. I would recommend to keep an eye on data sanitisation when fixing it, as this could possibly lead to code injection from malicious requests.

hansott commented 5 years ago

Hi @robertovernina, thanks for your report. I've been thinking about this library and I'm afraid RequestCookies is not super useful. It doesn't add much value besides a value object to work with. The only thing that's important is adding cookies to a response I guess. I know about the array syntax but I don't think that's standard HTTP stuff? My thoughts, just drop the RequestCookies, ResponseCookies & Signer... and focus on the adding cookies to a response part.

robertovernina commented 5 years ago

@hansott thanks for your reply and for thinking about this issue. You're right: cookies in the Request object should be read-only, and they should be easily read from the Request without wrapping them into a value object. I might consider stopping using that factory in my implementation, as you plan to drop that from the library anyway. Thanks a lot!