Streamlining of cookie handling in ext/session and setcookie

Up until now the session cookie used "HttpOnly" to indicate cookies
only available through HTTP while setcookie() used "httponly".  The
relevant RFC 6265 claims that case does not matter for this token,
but only explicitely mentions "HttpOnly".  Thus this seems like a
logical choice when streamlining the code.

Also the setcookie implementation now uses the same string constants
as the session extension for other tokens like Max-Age or the domain
attribute.

This change poses a slight risk of backwards incompatibility in places
where people deliberately ignore chapter 5.2.5 of RFC 6265 and perform
case-sensitive checks for the HttpOnly attribute.

1 files changed, 1 insertions, 8 deletions

diff --git a/ext/session/session.c b/ext/session/session.c
index 1d60c40188..c5d710096d 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -51,6 +51,7 @@
 #include "ext/standard/php_smart_str.h"
 #include "ext/standard/url.h"
 #include "ext/standard/basic_functions.h"
+#include "ext/standard/head.h"
 
 #include "mod_files.h"
 #include "mod_user.h"
@@ -1289,14 +1290,6 @@ static int php_session_cache_limiter(TSRMLS_D) /* {{{ */
    * Cookie Management *
    ********************* */
 
-#define COOKIE_SET_COOKIE "Set-Cookie: "
-#define COOKIE_EXPIRES	"; expires="
-#define COOKIE_MAX_AGE	"; Max-Age="
-#define COOKIE_PATH		"; path="
-#define COOKIE_DOMAIN	"; domain="
-#define COOKIE_SECURE	"; secure"
-#define COOKIE_HTTPONLY	"; HttpOnly"
-
 /*
  * Remove already sent session ID cookie.
  * It must be directly removed from SG(sapi_header) because sapi_add_header_ex()