I have this code in a assets controller to get images:
function images($path,$image_name)
{
$image = "../assets/images/$path/$image_name";
if (file_exists ($image) && (is_file($image))) {
$name = $image_name;
} else {
}
$file = getimagesize($image);
$filesize = filesize($image);
$time_cache = 360000000000;
$ts = gmdate("D, d M Y H:i:s", time() + $time_cache) . " GMT";
header("Content-Type: {$file['mime']}\n");
header("Content-disposition: inline; filename=\"$name\"\n");
header("Content-Length: $filesize\n");
header("Expires: $ts");
header("Pragma: cache");
header("Cache-Control: max-age=$time_cache");
readfile ($image);
}
I have set csrf protection to true
in config/config.php file
and every request for an image is sent with Set-Cookie
header. So the csrf-cookie can get set multiple times on some pages. Is that something to worry about, and if so, is there a way to prevent this?
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
If multiple cookies of the same name match a given request URI, one is chosen by the browser. The more specific the path, the higher the precedence. However precedence based on other attributes, including the domain, is unspecified, and may vary between browsers.
The Set-Cookie header is sent by the server in response to an HTTP request, which is used to create a cookie on the user's system. The Cookie header is included by the client application with an HTTP request sent to a server, if there is a cookie that has a matching domain and path.
@RobDolinMS Also, you can't have multiple cookie headers in the request. As per RFC 6265 S5. 4: When the user agent generates an HTTP request, the user agent MUST NOT attach more than one Cookie header field.
I managed to do this with header_remove("set-cookie");
So the code looks like this
header("Content-Type: {$file['mime']}\n");
header("Content-disposition: inline; filename=\"$name\"\n");
header("Content-Length: $filesize\n");
header("Expires: $ts");
header("Pragma: cache");
header("Cache-Control: max-age=$time_cache");
header_remove("set-cookie");
readfile ($image);
If in only one page/image request you uses setcookie
function many times, php will send many times the same cookie to browser in one response. Maybe some browsers crashes reading that.
I've had problems with ajax requests in Internet Explorer due to multiple cookie definitions, when accidentally start the session object in CakePHP into a loop. I only detected that problem sniffing the connection with wireshark.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With