[ FEATURE REQUEST ] set_setcookie_handler() function

[gzhegow1991]

Description

Same as set_error_handler/set_exception_handler
Old legacy projects uses setcookie() methods right in place.

setcookie() should be called after cookies of current request is normalized.

For example - after logout you clear cookies. After login - you put new cookies over cleared before. You have to send new cookies otherwise 502 Bad Gateway on nginx.

Yes, could be redesigned all the logic of authorization from scratch but better if you can catch setcookie call and transform it to your response class instead of internal header() call.

[hormus]

@6562680 Hi, could you describe me better? Your code seems not to conform to the http spec. The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. However it is useful to use an http redirect to retrieve the cookie (login) or delete the cookie (logout).

You cannot delete the cookie and request the cookie at the same http request.

[gzhegow1991]

Ok, let me show you the use-case.

Ready legacy project where setcookie is used directly in the core. Example - wordpress.
Originally wordpress uses authorization cookies right in place and even required to force page reload to ensure that cookie is set. But after wordpress you do custom logic.

What does it look like? You do some actions on your page, then somebody calls login, but the wordpress is printed out the website header html before. So the headers couldn't be set because some output was sent. Its not only wordpress but almost all old legacy websites or known CMS issue. Thats why i ask php devs to solve it, otherwise we should stop using some code that is unapplicable in the business. Awaiting until cms-devs fixed the issue still no solution, in 70% of cases it will never happen.

Correct way is a framework - using some Response class, as a queue pattern. You collect output and the headers, then call ->send() method that is call sendHeaders() then sendContent(). But as I said above - sites use setcookie directly in place, and to fix the behavior you need to inspect whole code (otherwise you get old good "warning" = headers already sent).

To rebuild this behavior you have to catch cookies to some array, then merge the array with all response cookies. So you need to implement something like the symfony/http-foundation package to collect cookies, then write functions like _setcookie(), then rewrite wordpress methods that use setcookie, and all your code that uses setcookie...

Just rewriting setcookie in the new PHP release is not a solution because of backward compatibility.

Another requirement in development is a debug deployed application that works unexpectedly. You first go to DevConsole in browser, see responseHeaders there, then you try to fix things. There's problem of server configuration too - some servers sends headers from their configs and with this problem on PHP level we can't do anything. But we can improve control on PHP header() call, allowing user temporarily disable any headers except server ones to separate problems right in place.

It's not a "problem" in wide sense, the canonical solution is to catch the output ob_start/ob_get_clean allowing headers to be set right in place, but print all the output in our own code.

For debug reasons it would be great to see, maybe not even for cookies, but for headers some callback that works on any header is set to prevent sending that header or catching it out. Also common stuck is a redirection. header('Location:') is still a header, ability to catch this call and print it via symfony dump() function its like "stop point" in most other languages or in php xdebug. Catch/prevent headers tool is necceseary.

Like we can catch any exception or error defining set_error_handler/set_exception_handler, it would be great to see set_header_handler.

Its possible to solve without, but being realized it reduces the time exploring internal code of the libraries and frameworks - you just set the handler and you know not only "what headers is sent for the moment" (headers_sent()) but also "where was the call with a stack trace (calling debug_backtrace() in this handler)"

ps. much known processes requires "async calling" - i mean collect calls and run them after some logic is calculated... Database insertion is a good example too (thats why doctrine still alive). Its a part of big conceptual problem of "still no async-related functions in php core". Usually i always implement that stuff for "flash messages", "for db insertion", "for emails-queue", "for any external services"... "Async" (delayed queue sync) stuff is required thing even in syncronyous language. Stuff that we call "router" or "http-foundation" - i've explored few frameworks and most of the tools develop own way to process even "request stack". Original idea of "request stack" is a "event loop". Different names, same idea.

ps2. found header_register_callback() function that is exactly one i've asked here. But the function is called once first header is sent... or maybe on first echo call on the page. Is like half-productivity. set_error_handler() callback called on any error, also allow you to stop/ignore error. Why this one is called once, i dont understand (i didnt practice this one but read the docs). Guess needed set_header_callback implementation and mark this one as deprecated.

====

In short:

1. Catch headers to prevent sending = prevent redirection in current run
2. Catch headers to inspect any library code to see "what file is settting that header"
3. Catch headers to separate server/php related problems
4. Catch headers to unique the values preventing server to send two cookies - one with null-value (logout), second with new-value (login) that could cause 502 on nginx
5. Catch headers as a part of conceptual problem of missing async (do not confuse with parallel/few processes) processing in php. Wordpress is full event-stormed hell, you cant follow the running order of the functions other way, and also you cant explain that difficultness to your employer, because of he's dummy in programming.
6. There's additional difficult word named "aspect/context programming", so this issue for me is a part of this one too. I've touched this topic when try to explain in RFC my idea of error collection without changing input/output signature of the methods (adding context to catch anything you need only if you need it instead of always). Btw idea was denied because of "traditional" and "culture" stuff.

--
+375 (29) 676-48-68 / Mobile - предпочитаемый способ связи
https://t.me/gzhegow / https://t.me/%2B375296764868 / Telegram
6562680@gmail.com

[gzhegow1991]

Headers may also contain one or more semicolons: the first to separate the name and contents of the header, the others to separate the time header 00:00:00. This means that it is not possible to call explode(':', $header, 2) to determine whether the header is properly formatted, which is passed without a name but will eventually be parsed as a valid header. This means that you need to create a registry of all HTTP headers, which is simply not possible. Maybe clear the entire time substring using a regex, and I think there might be more things than just 00:00 with semicolons present...

The only way to normalize direct/queued headers is to create a new header() function that expects two arguments (header name, header content) and only then implement a handler to call this new function gives the possibility to catch the calls and determine place of the call.

header() is similar to the echo language construct but without ob_start()/ob_clean() implemented to intercept the output... so it is not completely useful during code refactoring and has been used frequently on any PHP website just because there is no alternative. And this is the reason why all the famous PHP frameworks and even the php-fig team create their own interfaces/implementations for http stuff, I mean - for things that are included in PHP and do not require re-implementation.

That damn request/response classes is present in any php library with the authors' own modifications... And that classes is foundation classes so selecting one of the implementations step by step forces you to use framework that had published it. So writing on raw php few years ago started to become a hobby instead of the job. Just because of foundation functions make problems.

The only reason for the request is to parse any "non-raw"/raw/files body and the response is to generate headers/body for strings/streams/redirects and manage header/cookies - hell.

[kkmuffme]

You want a callback that is called every time setcookie is called to e.g. unset/delay sending the cookie?

What about other HTTP headers? They would have the same issue, wouldn't they?

However, this won't fix your issue, since any code can just call flush(); to send the output at any point in time, which will send the headers/cookies too, unless you're ob buffering it (and even then it can be flushed in all but 1 case)
Therefore, I think this is a WONTFIX issue?

---

Since you're referring to WP, the issue is in fact not the CMS but your code most likely. WooCommerce had a similar issue as you a couple years back and started to ob buffer it, therefore effectively making wp-admin extremely slow.
It seems like your logic and display are intertwined, which is the actual bad practice. You need to run your logic on an early hook, before output starts, and your display on a later hook.
If you could pinpoint towards an example of where you think there's an issue in WP core, please let me know, as I'd be happy to take a look and PR a fix.