You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2015/03/02 09:01:18 UTC

[Bug 57652] New: Contents of cookie are URL encoded using mod_log_config %{VARNAME}C

https://bz.apache.org/bugzilla/show_bug.cgi?id=57652

            Bug ID: 57652
           Summary: Contents of cookie are URL encoded using
                    mod_log_config %{VARNAME}C
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_log_config
          Assignee: bugs@httpd.apache.org
          Reporter: gmillikan@t1shopper.com

When written to the log, cookies are URL encoded when using %{VARNAME}C. For
example a cookie received in the request headers as
"cAsPuTNpqas,6rrgB7T-6kGQbf4" becomes the following when written to the log,
"cAsPuTNpqas%2C6rrgB7T-6kGQbf4"

Please update documentation at
https://httpd.apache.org/docs/current/mod/mod_log_config.html

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 57652] Contents of cookie are URL encoded using mod_log_config %{VARNAME}C

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=57652

--- Comment #3 from Geoff Millikan <gm...@t1shopper.com> ---
For posterity, this is PHP gotcha:

PHP's popular setcookie() function URL-encodes the cookie when pushing it out
to the client browser as the documentation says.  The corresponding function
session_id() both reads the cookie from the HTTP request headers AND
URL-decodes it.  The URL-decoding isn't mentioned in the PHP documentation.

Happy session handling,

--Geoff

https://php.net/manual/en/function.setcookie.php

https://php.net/manual/en/function.session-id.php

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 57652] Contents of cookie are URL encoded using mod_log_config %{VARNAME}C

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=57652

Eric Covener <co...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #1 from Eric Covener <co...@gmail.com> ---
Doesn't do that for me.  It should only escape quotes and unprintables.

$ grep common built/conf/httpd.conf
    LogFormat "%a %h %l %u %t \"%r\" %>s %b %f %D %{foo}C" common
    CustomLog "logs/access_log" common

$ wget -qS --header="Cookie: foo=bar,baz" http://localhost/index.html -O-
  HTTP/1.1 200 OK
  Date: Mon, 02 Mar 2015 17:52:25 GMT
  Server: Apache/2.5.0-dev (Unix) OpenSSL/1.0.1f
  Last-Modified: Fri, 23 Jan 2015 17:26:26 GMT
  ETag: "0-50d5516994c52"
  Accept-Ranges: bytes
  Content-Length: 0
  Keep-Alive: timeout=5, max=100
  Connection: Keep-Alive
  Content-Type: text/html

$ tail -1 built/logs/access_log 
127.0.0.1 127.0.0.1 - - [02/Mar/2015:17:52:25 +0000] "GET /index.html HTTP/1.1"
200 - /home/covener/public_html/index.html 306 bar,baz

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 57652] Contents of cookie are URL encoded using mod_log_config %{VARNAME}C

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=57652

Geoff Millikan <gm...@t1shopper.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEEDINFO                    |RESOLVED

--- Comment #2 from Geoff Millikan <gm...@t1shopper.com> ---
My bad.  This is not an Apache bug.  This is happening downstream in PHP or
MySQL downstream.  Sorry for the trouble.  Confirmed everything is ok on
Apache/2.2.29 per output below.  Nice debug script, thanks Eric.

$ grep PHPSESSID /etc/httpd/conf/httpd.conf
    LogFormat
"%h\t%l\t%u\t%t\t%r\t%>s\t%b\t%{Referer}i\t%{User-Agent}i\t%{PHPSESSID}C"
combinedcookie

$ wget --server-response --no-check-certificate --header="Cookie:
PHPSESSID=pOoq97tCR5N,PWnoQMlIoLitbT0"
https://www.t1shopper.com/contactus/index.php

--2015-03-03 05:12:38--  https://www.t1shopper.com/contactus/index.php
HTTP request sent, awaiting response...
  HTTP/1.1 200 OK
  Date: Tue, 03 Mar 2015 05:12:38 GMT
  Server: Apache
  Expires: Thu, 19 Nov 1981 08:52:00 GMT
  Vary: Accept-Encoding
  Cache-Control: public
  Connection: close
  Content-Type: text/html
Length: unspecified [text/html]
Saving to: `index.php'

$ cat /var/log/httpd/t1shopper_access_log | grep 127.0.0.1

127.0.0.1       -       -       [03/Mar/2015:05:12:38 +0000]    GET
/contactus/index.php HTTP/1.0       200     17532   -       Wget/1.11.4 Red Hat
modified    pOoq97tCR5N,PWnoQMlIoLitbT0

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org