PHP $_COOKIE is not entirely populated

Question

I've spent a little while trying to trace the root cause of a particular Laravel bug since the original GitHub issue was closed without resolution.

After some time of experimenting I discovered that the session was being regenerated because the laravel_session cookie was set to null. Tracing this back as far as possible, I found that in index.php -- before Laravel ever loads -- the value of $_COOKIE is corrupt... sometimes

About 90% of the time when I make a call to my app, my cookies look like so:

array:7 [
  "__unam" => "bc7c68-14f8d12a5ef-43097c02-213"
  "__utma" => "152883115.857409601.1438038184.1440538193.1440976773.14"
  "__utmc" => "152883115"
  "__utmz" => "152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
  "PHPSESSID" => "k8qvmt8ccbhcqepbn7mib8kra6"
  "XSRF-TOKEN" => "eyJpdiI6IlJGd2M1WHlRcnhpeGtobFZpVlZaWmc9PSIsInZhbHVlIjoiMXhFSnlHeTZKbkc5NWxYcFwvNkNUTkNXeVpROWIweGJkczhIXC9LVStNMVlvSjFoRmttTXlLeTVOS01JM0wrN2FCdjVvQzM2RHNwRjJQcGlTNWZyelM2QT09IiwibWFjIjoiZDdjMzk1Zjg0YWUzYjhlNzUyYmQ4NzAwNTFhZWIwNDM1MDQyYmMwZjZkODllMTVlMGMxNTVjZjBmNTlmMTlkNiJ9"
  "laravel_session" => "eyJpdiI6InV4YmFFTzJxTTdrVGlPdjVQZkszS1E9PSIsInZhbHVlIjoieGdsYzJTYTlqY3k4MzFIR2l6b2ZSaFwvK1RmdGg1UUhYR2dkdVpmNVVvcHoyMm5yRUpMUWRGRjVZd3ZUXC81OXl1QnpBRnR3a05kNXp1MEFoV2pLTmpIdz09IiwibWFjIjoiOThjMTU1MTE0ZTRjM2E2MGEzNGQ0MTcwODNhZmNlODMyZjM0MGViMjdmZjliMWZhNjE2M2Q0YzFlNWQxZDZiYyJ9"
]

But then 10% of the time, it looks like so:

array:7 [
  "__unam" => "bc7c68-14f8d12a5ef-43097c02-213"
  "__utma" => "152883115.857409601.1438038184.1440538193.1440976773.14"
  "__utmc" => "152883115"
  "__utmz" => "152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
  "PHPSESSID" => "k8qvmt8ccbhcqepbn7mib8kra6"
  "XSRF-TOKEN" => "eyJpdiI6IlJGd2M1WHlRcnhpeGtobFZpVlZaWmc9PSIsInZhbHVlIjoiMXhFSnlHeTZKbkc5NWxYcFwvNkNUTkNXeVpROWIweGJkczhIXC9LVStNMVlvSjFoRmttTXlLeTVOS01JM0wrN2FCdjVvQzM2RHNwRjJQcGlTNWZyelM2QT09IiwibWFjIjoiZDdjMzk1Zjg0YWUzYjhlNzUyYmQ4NzAwNTFhZWIwNDM1MDQyYmMwZjZkODllMTVlMGMxNTVjZjBmNTlmMTlkNiJ9"
  "laravel_session" => "eyJpdiI6InV4YmFFTzJxTTdrVGlPdjVQZkszS1E9PSIsInZhbHVlIjoieGdsYzJTYTlqY3k4MzFIR2l6b2ZSaFwvK1RmdGg1UUhYR2dkdVpmNVVvcHoyMm5yRUpMUWRGRjVZd3Z"
]

Using a web proxy (Charles) to monitor network traffic, the issue is not on my end -- the full cookie string is being sent, but the server is only seeing a partial message (the laravel_session cookie gets cut off)

Every time the issue occurs, it gets cut off at the exact same spot: 678 bytes after the start of the cookie string (1435 bytes into the raw HTTP request text). Strangely the request body is transmitted with no harm, and this comes after the cookie string in the raw HTTP request, so it's not a matter of the TCP connection failing out.

PATCH /api/employees/1 HTTP/1.1
Host: www.mywebsite.com
Content-Length: 23
Accept: application/json, text/plain, */*
Origin: http://www.mywebsite.com
X-XSRF-TOKEN: eyJpdiI6IlJGd2M1WHlRcnhpeGtobFZpVlZaWmc9PSIsInZhbHVlIjoiMXhFSnlHeTZKbkc5NWxYcFwvNkNUTkNXeVpROWIweGJkczhIXC9LVStNMVlvSjFoRmttTXlLeTVOS01JM0wrN2FCdjVvQzM2RHNwRjJQcGlTNWZyelM2QT09IiwibWFjIjoiZDdjMzk1Zjg0YWUzYjhlNzUyYmQ4NzAwNTFhZWIwNDM1MDQyYmMwZjZkODllMTVlMGMxNTVjZjBmNTlmMTlkNiJ9
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36
Content-Type: application/json;charset=UTF-8
Referer: http://www.mywebsite.com/admin/employees?location=1
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8
Cookie: __unam=bc7c68-14f8d12a5ef-43097c02-213; __utma=152883115.857409601.1438038184.1440538193.1440976773.14; __utmc=152883115; __utmz=152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); PHPSESSID=k8qvmt8ccbhcqepbn7mib8kra6; XSRF-TOKEN=eyJpdiI6IlJGd2M1WHlRcnhpeGtobFZpVlZaWmc9PSIsInZhbHVlIjoiMXhFSnlHeTZKbkc5NWxYcFwvNkNUTkNXeVpROWIweGJkczhIXC9LVStNMVlvSjFoRmttTXlLeTVOS01JM0wrN2FCdjVvQzM2RHNwRjJQcGlTNWZyelM2QT09IiwibWFjIjoiZDdjMzk1Zjg0YWUzYjhlNzUyYmQ4NzAwNTFhZWIwNDM1MDQyYmMwZjZkODllMTVlMGMxNTVjZjBmNTlmMTlkNiJ9; laravel_session=eyJpdiI6InV4YmFFTzJxTTdrVGlPdjVQZkszS1E9PSIsInZhbHVlIjoieGdsYzJTYTlqY3k4MzFIR2l6b2ZSaFwvK1RmdGg1UUhYR2dkdVpmNVVvcHoyMm5yRUpMUWRGRjVZd3ZUXC81OXl1QnpBRnR3a05kNXp1MEFoV2pLTmpIdz09IiwibWFjIjoiOThjMTU1MTE0ZTRjM2E2MGEzNGQ0MTcwODNhZmNlODMyZjM0MGViMjdmZjliMWZhNjE2M2Q0YzFlNWQxZDZiYyJ9

{"id":"1","show":false}

I'm using PHP's built-in development server (php -S 0.0.0.0:80). I tried using Apache to see if it resolves the issue and while it seems like the cookie string always comes across correctly with Apache, I've got another error where PHP utterly crashes and burns upon hitting a file_put_contents call. I have the following code:

try {
    echo "Writing... (LOCK_EX: " . LOCK_EX . ")<br />\n";
    file_put_contents($path, $contents, $lock ? LOCK_EX : 0);
    echo "Done.";
} catch( Exception $e ) {
    echo "WHAT";
}
echo "Failed?";

Which is returning only Writing... (LOCK_EX: 2)<br />\n

None of "Done.", "WHAT", or "Failed?" are displayed.

Looking as ps all to see if the server was hanging, I don't even see the Apache process. However I know Apache is running because if I stop Apache (sudo apachectl stop) I stop getting any response from the server

4     0   807     1  20   0  15820   912 n_tty_ Ss+  tty4       0:00 /sbin/getty -8 38400 tty4
4     0   810     1  20   0  15820   916 n_tty_ Ss+  tty5       0:00 /sbin/getty -8 38400 tty5
4     0   815     1  20   0  15820   916 n_tty_ Ss+  tty2       0:00 /sbin/getty -8 38400 tty2
4     0   816     1  20   0  15820   920 n_tty_ Ss+  tty3       0:00 /sbin/getty -8 38400 tty3
4     0   819     1  20   0  15820   916 n_tty_ Ss+  tty6       0:00 /sbin/getty -8 38400 tty6
4     0  1029     1  20   0  15820   916 n_tty_ Ss+  tty1       0:00 /sbin/getty -8 38400 tty1
0     0  1057  9241  20   0  10016   880 -      R+   pts/2      0:00 ps all
0     0  5278  9239  20   0  12404  1212 wait   Ss   pts/8      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0  5279  5278  20   0  22708  3660 n_tty_ S+   pts/8      0:00 bash -l
0     0  9240  9239  20   0  12404  1144 wait   Ss   pts/2      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0  9241  9240  20   0  22776  3868 wait   S    pts/2      0:00 bash -l
0     0  9287  9239  20   0  12404  1148 wait   Ss   pts/4      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0  9288  9287  20   0  22792  4040 n_tty_ S+   pts/4      0:02 bash -l
0     0 10740  9239  20   0  12404  1152 wait   Ss   pts/5      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0 10741 10740  20   0  22756  3836 n_tty_ S+   pts/5      0:00 bash -l
0     0 17522 17476  20   0   1924   512 poll_s Ss+  pts/1      0:00 /root/.c9/bin/tmux -u2 -L cloud91.9 attach -t user@server_668 -d
0     0 18258 17476  20   0   1924   516 poll_s Ss+  pts/3      0:00 /root/.c9/bin/tmux -u2 -L cloud91.9 attach -t user@server_14 -d
0     0 20097  9239  20   0  12404  1204 wait   Ss   pts/9      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0 20098 20097  20   0  22708  3808 wait   S    pts/9      0:00 bash -l
0     0 20134 20098  20   0 103624  2880 n_tty_ S+   pts/9      0:00 mysql -u root -p
0     0 30986 17476  20   0   1924   516 poll_s Ss+  pts/7      0:00 /root/.c9/bin/tmux -u2 -L cloud91.9 attach -t user@server_836 -d
0     0 31599  9239  20   0  12404  1204 wait   Ss   pts/6      0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0 31603 31599  20   0  22708  3636 n_tty_ S+   pts/6      0:00 bash -l
0     0 31632  9239  20   0  12404  1152 wait   Ss   pts/10     0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0 31633 31632  20   0  22760  3828 n_tty_ S+   pts/10     0:00 bash -l
0     0 31811  9239  20   0  12404  1152 wait   Ss   pts/12     0:00 bash -c export ISOUTPUTPANE=0;bash -l
0     0 31812 31811  20   0  22708  3520 n_tty_ S+   pts/12     0:00 bash -l

I'm really not sure what's going on (why Apache is failing or why the PHP built-in server is cutting off my $_COOKIE variable).

As a final note, I've already checked the permissions on the file I'm attempting to write to:

-rwxr-xr-x 1 root root 10629 Mar 12 13:14 services.json

So it's not that.

Update

Per @Siguza's suggestion, I tried adding another cookie to see what would happen. Upon first inspection it looked like there was some very strange behavior going on when I ran dd( $request->cookies ) before decryption:

Success

ParameterBag {#40
  #parameters: array:9 [
    "PHPSESSID" => "k8qvmt8ccbhcqepbn7mib8kra6"
    "__unam" => "bc7c68-14f8d12a5ef-43097c02-217"
    "__utma" => "152883115.857409601.1438038184.1440976773.1441571912.15"
    "__utmb" => "152883115.4.9.1441572254693"
    "__utmc" => "152883115"
    "__utmz" => "152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
    "yetAnotherCookie" => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
    "XSRF-TOKEN" => "eyJpdiI6ImVqcW1cL09cL3oyQ0ZIcFBiQTRmZXFKUT09IiwidmFsdWUiOiJEbzV0NHcraGNmd3BMb0hibG5uNm9UTnhvNlV4bVRCVWRHOWFBM3VrOG0wZ2Z2NmF5QnpuNFh6a1dYdmhcL2pmWUtIb2lsOGdBS29xV0hvNnFOQktxR2c9PSIsIm1hYyI6IjRjMjU4ZWYxMTJkZTQ1NTU2YWQ3M2EwZjAzZDQwNDI4YzNmOTJjYTVhZTUzZTg4MzFmNTUxZDFkMTljNDBjZjkifQ=="
    "laravel_session" => "eyJpdiI6IkRkcGNLRE9KK3hkOFRNdzFXQzQreWc9PSIsInZhbHVlIjoiQm1qN2lNa2pTQTE2ZTQxUzJxbExGYnhheFhjUkQwMEpybEQ3XC9cL0pDMzA1MXdEeHF3a09qbnRKTjdPMzRKdjdBeFFNQ1hkamw1THFQanlnUURoRjJndz09IiwibWFjIjoiYTkzNjdmYjYyYTMzODM2MmY2MjQyNzZhNDQ1YjY2NzQ3OTFiZjVjODIyZmYzYmE3YjhlNGM1ZjQ2NTk1MTczNyJ9"
  ]
}

Failure

ParameterBag {#40
  #parameters: array:8 [
    "PHPSESSID" => "k8qvmt8ccbhcqepbn7mib8kra6"
    "__unam" => "bc7c68-14f8d12a5ef-43097c02-217"
    "__utma" => "152883115.857409601.1438038184.1440976773.1441571912.15"
    "__utmb" => "152883115.4.9.1441572254693"
    "__utmc" => "152883115"
    "__utmz" => "152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)"
    "XSRF-TOKEN" => "eyJpdiI6ImVqcW1cL09cL3oyQ0ZIcFBiQTRmZXFKUT09IiwidmFsdWUiOiJEbzV0NHcraGNmd3BMb0hibG5uNm9UTnhvNlV4bVRCVWRHOWFBM3VrOG0wZ2Z2NmF5QnpuNFh6a1dYdmhcL2pmWUtIb2lsOGdBS29xV0hvNnFOQktxR2c9PSIsIm1hYyI6IjRjMjU4ZWYxMTJkZTQ1NTU2YWQ3M2EwZjAzZDQwNDI4YzNmOTJjYTVhZTUzZTg4MzFmNTUxZDFkMTljNDBjZjkifQ=="
    "laravel_session" => "eyJpdiI6IkRkcGNLRE9KK3hkOFRNdzFXQzQreWc9PSIsInZhbHVlIjoiQm1qN2lNa2pTQTE2ZTQxUzJxbExGYnhheFhjUkQwM"
  ]
}

Strangely the new cookie I added (yetAnotherCookie) is entirely gone while the laravel session still gets truncated. Inspecting the HTTP request, I noticed that yetAnotherCookie was appended at the end, so truncating the whole string would reasonably remove it from the list:

PHPSESSID=k8qvmt8ccbhcqepbn7mib8kra6; __unam=bc7c68-14f8d12a5ef-43097c02-217; __utma=152883115.857409601.1438038184.1440976773.1441571912.15; __utmb=152883115.4.9.1441572254693; __utmc=152883115; __utmz=152883115.1435960225.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); XSRF-TOKEN=eyJpdiI6ImVqcW1cL09cL3oyQ0ZIcFBiQTRmZXFKUT09IiwidmFsdWUiOiJEbzV0NHcraGNmd3BMb0hibG5uNm9UTnhvNlV4bVRCVWRHOWFBM3VrOG0wZ2Z2NmF5QnpuNFh6a1dYdmhcL2pmWUtIb2lsOGdBS29xV0hvNnFOQktxR2c9PSIsIm1hYyI6IjRjMjU4ZWYxMTJkZTQ1NTU2YWQ3M2EwZjAzZDQwNDI4YzNmOTJjYTVhZTUzZTg4MzFmNTUxZDFkMTljNDBjZjkifQ%3D%3D; laravel_session=eyJpdiI6IkRkcGNLRE9KK3hkOFRNdzFXQzQreWc9PSIsInZhbHVlIjoiQm1qN2lNa2pTQTE2ZTQxUzJxbExGYnhheFhjUkQwMEpybEQ3XC9cL0pDMzA1MXdEeHF3a09qbnRKTjdPMzRKdjdBeFFNQ1hkamw1THFQanlnUURoRjJndz09IiwibWFjIjoiYTkzNjdmYjYyYTMzODM2MmY2MjQyNzZhNDQ1YjY2NzQ3OTFiZjVjODIyZmYzYmE3YjhlNGM1ZjQ2NTk1MTczNyJ9; yetAnotherCookie=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

I cleared all of my cookies for the domain and tried again:

Success

ParameterBag {#40
  #parameters: array:4 [
    "__unam" => "bc7c68-14f8d12a5ef-43097c02-217"
    "XSRF-TOKEN" => "eyJpdiI6ImV6aklvVVNwZHdCMThON1hQOW9rcmc9PSIsInZhbHVlIjoiWlY1aGdQamJ1Y2FQTGxTUDZTTmxPK2xLZm5xZG15enlVXC95RXhRMHNqbm9udkp5T3NnR3FBQ0dxRWEzYTdIVUFveHA1TTZkV2lTcGlcL1wvalQzQ09QbUE9PSIsIm1hYyI6IjYyMzM5MGM4MjYxNzYzNmI5NGYyZDFmMTU3M2M4NTA5NzBlYjZlMGZmMmViM2QzNjlhZjZmNTdlMmE4ZmRjMmUifQ=="
    "laravel_session" => "eyJpdiI6Illzd2xnalRXVzhKaVI0blRQUUtiNXc9PSIsInZhbHVlIjoiKzVaQVR0cHNqbDZEcGd5UG9POWFhbFdyYzhaTDNqb1FOQ2xmcEFYVUZUZTJkNUZSYzNRUlhCajJhNHBNK3VXd2gxYlwvUWtiTEE0bk5lVmp0d2lcL3pkQT09IiwibWFjIjoiNjA5MDU2ODViYTQ4YmM0YjlmYWVmOWY1NzliY2Y3YjdhYjMzYTA0MWU4ZjMwODg0N2E5NGI2N2U2ZDc3MTIwNSJ9"
    "yetAnotherCookie" => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
  ]
}

Failure

ParameterBag {#40
  #parameters: array:4 [
    "__unam" => "bc7c68-14f8d12a5ef-43097c02-217"
    "XSRF-TOKEN" => "eyJpdiI6ImV6aklvVVNwZHdCMThON1hQOW9rcmc9PSIsInZhbHVlIjoiWlY1aGdQamJ1Y2FQTGxTUDZTTmxPK2xLZm5xZG15enlVXC95RXhRMHNqbm9udkp5T3NnR3FBQ0dxRWEzYTdIVUFveHA1TTZkV2lTcGlcL1wvalQzQ09QbUE9PSIsIm1hYyI6IjYyMzM5MGM4MjYxNzYzNmI5NGYyZDFmMTU3M2M4NTA5NzBlYjZlMGZmMmViM2QzNjlhZjZmNTdlMmE4ZmRjMmUifQ=="
    "laravel_session" => "eyJpdiI6Illzd2xnalRXVzhKaVI0blRQUUtiNXc9PSIsInZhbHVlIjoiKzVaQVR0cHNqbDZEcGd5UG9POWFhbFdyYzhaTDNqb1FOQ2xmcEFYVUZUZTJkNUZSYzNRUlhCajJhNHBNK3VXd2gxYlwvUWtiTEE0bk5lVmp0d2lcL3pkQT09IiwibWFjIjoiNjA5MDU2ODViYTQ4YmM0YjlmYWVmOWY1NzliY2Y3YjdhYjMzYTA0MWU4ZjMwODg0N2E5NGI2N2U2ZDc3MTIwNSJ9"
    "yetAnotherCookie" => "abcdefghijklmnopqrstuvwxyzABCDEFGHIJK"
  ]
}

Only yetAnotherCookie was truncated this time, not laravel_session. Looking at the HTTP request again, this cookie has made its way to the end of the list again despite being set first (I guess Chrome alphabetized the list of cookies?) only now the full list was shorter:

__unam=bc7c68-14f8d12a5ef-43097c02-217; XSRF-TOKEN=eyJpdiI6ImV6aklvVVNwZHdCMThON1hQOW9rcmc9PSIsInZhbHVlIjoiWlY1aGdQamJ1Y2FQTGxTUDZTTmxPK2xLZm5xZG15enlVXC95RXhRMHNqbm9udkp5T3NnR3FBQ0dxRWEzYTdIVUFveHA1TTZkV2lTcGlcL1wvalQzQ09QbUE9PSIsIm1hYyI6IjYyMzM5MGM4MjYxNzYzNmI5NGYyZDFmMTU3M2M4NTA5NzBlYjZlMGZmMmViM2QzNjlhZjZmNTdlMmE4ZmRjMmUifQ%3D%3D; laravel_session=eyJpdiI6Illzd2xnalRXVzhKaVI0blRQUUtiNXc9PSIsInZhbHVlIjoiKzVaQVR0cHNqbDZEcGd5UG9POWFhbFdyYzhaTDNqb1FOQ2xmcEFYVUZUZTJkNUZSYzNRUlhCajJhNHBNK3VXd2gxYlwvUWtiTEE0bk5lVmp0d2lcL3pkQT09IiwibWFjIjoiNjA5MDU2ODViYTQ4YmM0YjlmYWVmOWY1NzliY2Y3YjdhYjMzYTA0MWU4ZjMwODg0N2E5NGI2N2U2ZDc3MTIwNSJ9; yetAnotherCookie=abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789

It cut off at 685 bytes this time instead of the 678 from earlier. Curiouser and curiouser.

Update 2

Here's another odd one. I tried hitting a slightly different endpoint. Instead of www.mywebsite.com/api/employees/1, I pinged www.mywebsite.com/api/employees/10

This time one additional letter was removed from the cookie string. This prompted me to look at the entire raw HTTP request one more. Exactly 1435 bytes into the raw HTTP request is when the cookie string got cut off.

So I performed one more experiment: I sent a huge custom header using the following javascript from the browser

$.ajax('/api/employees/1', {
method: 'PATCH',
headers: {'X-REALLY-LONG-HEADER': 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789'},
success: function(data) { console.log(data); }
});

I also modified the return value slightly because Laravel's dd() function wraps the return value in a lot of HTML that would make it hard to interpret in the console. With the really long header in place, I got the following after a few attempts:

Cookies:
__unam = bc7c68-14f8d12a5ef-43097c02-217
XSRF-TOKEN = eyJpdiI6ImV6aklvVVNwZHdCMThON1hQOW9rcmc9PSIsInZhbHVlIjoiWlY1aGd

This was actually 1460 bytes into the raw request... I'm not sure how to interpret the fact that it behaved differently, but this is suggesting some weird 1450-ish byte limit before PHP's built-in server craps out on the HTTP request.

Update 3

Attempted to upgrade PHP to 5.6

First apt-get failed me. apt-get install --only-upgrade php5 just installed a slightly newer 5.5.9

Then I downloaded the source from php.net and attempted to build from source. Per the INSTALL instructions, you should run ./configure before running make and make install, so I tried it out. After a short while I got the following:

...
checking for strftime... (cached) yes
checking which regex library to use... php
checking whether to enable LIBXML support... yes
checking libxml2 install dir... no
checking for xml2-config path... 
configure: error: xml2-config not found. Please check your libxml2 installation.

I tried updating this with apt-get install libxml2 and got the following:

root@C9-workspace:~/php-5.6.13# apt-get install libxml2
Reading package lists... Done
Building dependency tree       
Reading state information... Done
libxml2 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 200 not upgraded.

Since ./configure failed me and I can't upgrade libxml2, I tried just installing:

root@C9-workspace:~/php-5.6.13# make
make: *** No targets specified and no makefile found.  Stop.

It's possible I'm just incompetent as a server admin, but I don't know how to install PHP 5.6 without a helpful MSI file

Answer 1

Congrats, you found a PHP bug; I've just reported it.

You can't do anything about it now, except waiting for a fix.

As I noted inside the bug report, the cause really is that the headers are so large, thus the browser splitting it up into multiple TCP packets… and the HTTP parser in sapi/cli/php_http_parser.c currently does not seem to back up the buffer with the header value in case it needs to wait for the next packet and merging it with the next packet later. Hence, it ends up to be truncated.

As code tells sometimes more than text: a simple reproduce case: http://git.php.net/?p=php-src.git;a=commitdiff;h=37d814b84cff3678a2e1d56ea9d3ba3c35082e13