Thanks everyone, and especially TG, for taking time to reply to my question. I have learned that apparently PHP silently runs urldecode() on all cookies before copying them into the $_COOKIE variable, under the assumption that all cookies have been urlencoded. This seems like a bad assumption to me, and is perhaps an attempt to be consistent with $_GET and $_REQUEST, which as Brad points out, have to be url encoded. But cookies aren't urls. I thought their purpose was to transfer data transparently, but maybe I am wrong about that. If this is documented anywhere, I sure couldn't find it. Morale: always get your cookies from $_SERVER["HTTP_COOKIE"], and *not* from $_COOKIE. Thanks again, Fletcher -----Original Message----- > From php-general-return-248512-fletcher=cs.utexas.edu@xxxxxxxxxxxxx Wed Feb 7 14:21:14 2007 > To: <php-general@xxxxxxxxxxxxx> > From: <tg-php@xxxxxxxxxxxxxxxxxxxxxx> > Subject: RE: base64-encoding in cookies? > > Exactly what I was going to mention, Brad. Here's some more info. > > Quoted from PHP manual for urlencode(): > > "Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent (%) sign followed by two hex digits and spaces encoded as plus (+) signs. It is encoded the same way that the posted data from a WWW form is encoded, that is the same way as in application/x-www-form-urlencoded media type. This differs from the RFC1738 encoding (see rawurlencode()) in that for historical reasons, spaces are encoded as plus (+) signs." > > Try this: > > $space = " "; > > echo "Urlencoded: " . urlencode($space) . "<br>\n"; > echo "Rawurlencoded: " . rawurlencode($space) . "<br>\n"; > > And you get: > > Urlencoded: + > Rawurlencoded: %20 > > If the only issue the OP is having is that the spaces are being transformed from + to <space> then maybe just do a urlencode($_COOKIE['AUTH']) and try doing the base64 decode off of that. This assumes that urlencode() Doesn't mangle other data in the cookie data. > > Or a string replace " " to "+". > > Kind of a non-technical answer, so maybe there's a better way to do this. Maybe a setting in apache or PHP. Don't really have time to research it right now, just wanted to point out the urlencode() and rawurlencode() info. > > PHP manual pages here: > > http://us3.php.net/manual/en/function.urlencode.php > http://us2.php.net/manual/en/function.rawurlencode.php > > -TG > > = = = Original message = = = > > > -----Original Message----- > > From: Fletcher Mattox [mailto:fletcher@xxxxxxxxxxxxx] > > Sent: Wednesday, February 07, 2007 2:49 PM > > To: php-general@xxxxxxxxxxxxx > > Subject: Re: base64-encoding in cookies? > > > > I wrote: > > > > > A campus web server (not under my control) returns an authentication > > > string in a cookie named AUTH. The cookie's value is an encrypted, > > > base64 encoded string. Unfortunately, when I examine $_COOKIE['AUTH'], > > > it is clear that all of the '+' characters have been replaced with a ' ' > > > character in the base64 string. Why is this? Obviously, this corrupts > > > the data and makes it impossible to base64-decode the string correctly. > > > I believe this is a php issue and not, say, an apache issue because a > > > perl program can correctly authenticate the same cookie based on perl's > > > $ENV'HTTP_COOKIE'. i.e., the perl cookie contains the original '+'. > > > Does anyone know how to make php (v5.1.5) do the right thing with base64 > > > encoded cookies? > > > > This problem seems to be > > > > ~http://bugs.php.net/bug.php?id=35523 > > > > where it was dismissed as "Bogus" without any explanation why. It seems > > that '+' characters are intentionally converted to spaces in all cookies. > > This makes no sense to me. Can someone explain it? > > > > Thanks, > > Fletcher > > > > -- > > PHP General Mailing List (http://www.php.net/) > > To unsubscribe, visit: http://www.php.net/unsub.php > > > > Could it have something to do with url encoding? > > For example: > http://example.com/page.php?foo=ABC+123 > > echo $_GET['foo']; // should produce: ABC 123 > > http://example.com/page.php?foo=ABC%2B123 > > echo $_GET['foo']; // should produce: ABC+123 > > HTH, > > Brad > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > > > ___________________________________________________________ > Sent by ePrompter, the premier email notification software. > Free download at http://www.ePrompter.com. > > -- > PHP General Mailing List (http://www.php.net/) > To unsubscribe, visit: http://www.php.net/unsub.php > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
