PHP applies a workaround for old MSIE where setting an empty cookie value would
not delete the cookie. This workaround is only triggered if an empty string (or
a value that converts to an empty string) is actually given as $value parameter
of setcookie. If the $value parameter is omitted, an empty cookie value is
sent. This commit fixes the inconsistent behavior.
* master: (41 commits)
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
Update copyright year to 2014
NEWS
Fix Request #67453 Allow to unserialize empty data.
Update copyright year to 2014
Update copyright year for re2c generated files
Update copyright year to 2014
Update copyright year for re2c files as well
Fix patch for bug #67436
fix failed test
Fix test on modern distro where old unsecure algo are disabled in openssl config. Testing recent algo should be enough to check this function.
Added tests for bug 67436
Fixed wrong XFAIL test - already fixed
Fix typo in Bug #67406 NEWS entry
Fix typo in Bug #67406 NEWS entry
...
Conflicts:
Zend/zend_compile.c
ext/session/session.c
ext/standard/array.c
ext/standard/http_fopen_wrapper.c
tests/classes/bug63462.phpt
Up until now the session cookie used "HttpOnly" to indicate cookies
only available through HTTP while setcookie() used "httponly". The
relevant RFC 6265 claims that case does not matter for this token,
but only explicitely mentions "HttpOnly". Thus this seems like a
logical choice when streamlining the code.
Also the setcookie implementation now uses the same string constants
as the session extension for other tokens like Max-Age or the domain
attribute.
This change poses a slight risk of backwards incompatibility in places
where people deliberately ignore chapter 5.2.5 of RFC 6265 and perform
case-sensitive checks for the HttpOnly attribute.
