• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

XF 1.4 PHP, Cookies and $_COOKIE[]

I need to use a php library to access and manipulate cookies. My PHP environment does not populate the $_COOKIE[] array super global. I notice cookie access is done mostly through the cookie helper but in one place in Session.php:412, in start(), the session ID is retrieved through $_COOKIE and not through the helper:

    $sessionId = (isset($_COOKIE[$cookie]) ? $_COOKIE[$cookie] : '');
Is there a specific reason for not using the cookie helper class to access the cookies here or is it an oversight? All other cookie access I see is using the helper class.

If all cookie access was done through the cookie helper class my job would be as simple as replacing it with one which got it's cookies through the library instead of through $_COOKIE. I'd rather not override XenForo_Session:start() to make it use the cookie helper. It's a maintenance headache.

Any comment on this? If it is an oversight, can it be changed for 1.4 final?


XenForo developer
Staff member
It's not really an oversight; the helper isn't generally needed there and the helper itself still effectively reads from $_COOKIE.

I can't say I've ever seen an environment that doesn't expose $_COOKIE and I'm confused as to why you wouldn't want it (it's the same sort of data as $_GET/$_POST and limiting the variable order processing is just going to create challenges).
Cookies are a big deal for us, we serve a lot of them. Our cookie library allows us to access a pre-parsed cookie jar without having to parse cookie contents manually. It decouples the application from the raw, unparsed cookie data. If the cookie data format changes, only the library needs to be updated, all the apps which depend on cookies require no changes. Turning off populating $_COOKIE is a policy designed to force us to use the standard library to access the cookie jar. Even though I'm told it's for performance, it's more about dependencies and maintenance. I don't expect this is a popular problem. It's more related to running within an enterprise managed cloud infrastructure without drawing a lot of attention.