Analysis of the problem that the cookie value in PHP contains a plus sign (+) and becomes a space

background

Recently, I found some user feedback , Can't get login information , So it was analyzed

analysis

Our login information is encrypted and stored in cookie Medium , Check this user's cookie The encrypted information contains   plus “+” , however php $_COOKIE At the time of acquisition , It becomes a space , So decryption failed

Analyze the information in the request header and find , The value passed by the request is “+” Of , however ：

such as cookie Stored in the   “cWEolyrQ0l63FG+YWHA”  ,$_COOKIE Get the displayed   “cWEolyrQ0l63FG YWHA”  , One more space

So I looked for information

Find the following introduction ：

notes ： Sending cookie when ,setcookie The value of will be automatically URL code . When received... Will be done URL decode . If you don't have to , have access to  setrawcookie()  Instead of .

​

notes ：setrawcookie() And  setcookie()  almost the same , The difference is that it will not be sent to the client , Yes cookie Value automatically URL code . Use setrawcookie, Values within these characters cannot be used ：（; \ t \ r \ n \ 013 \ 014）

Look at this introduction , I think after taking it out urldecode Just a moment

urldecode($_COOKIE['user_id'])

Actually, it doesn't work , So try   urlencode , I found it successful , But if cookie There are other special characters in such as "/" , Not anymore.

urlencode($_COOKIE['user_id'])

So this scheme , Can't solve the problem

Solution

We analyzed the request header above cookie Is a full , So we can try to get from the request header cookie

<?php

// getallheaders  yes  apache Supported functions ,nginx You need to define yourself 
if (!function_exists('getallheaders')) {
    function getallheaders()
    {
        foreach ($_SERVER as $name => $value) {
            if (substr($name, 0, 5) == 'HTTP_') {
                $headers[str_replace(' ', '-', ucwords(strtolower(str_replace('_', ' ', substr($name, 5)))))] = $value;
            }
        }
        return $headers;
    }
}

$cookieStr = getallheaders()['Cookie'];
$cookies = explode(';',$cookieStr);
foreach($cookies as $cookie)
{
    $cookieTmp = explode('=',$cookie);
    $_COOKIE[trim($cookieTmp[0])] = trim($cookieTmp[1]);
}

Other solutions

1. Yes cookie The value of the to base64_encode(), When you use it base64_decode()

Reference resources

PHP setrawcookie() function

PHP setcookie() function

php in cookie The value of contains a plus sign （+） Get the problem analysis that becomes a space _php_PHP Interview network