KohanaPHP » Kohana v3.x

Sam de Freyssinet wrote:

This is a problem with your web server configuration/php configuration. The X-Powered-By header should be respected by PHP if set by the script executing, however if your php.ini expose_php setting is set to anything other than Off, PHP will either insert or more usually override the header set in the executing script.

The logic in Kohana has not changed with regards to setting this header. It is your environment that needs attention.

If you want to expose Kohana, ensure your php.ini settings are set correctly. If you want to expose PHP, then ensure Kohana's expose settings are set correctly.

Hi Sam,

I am really disappointed by your reply to this ticket. It looks like you have not looked at the problem at all and closed the ticket immedately. Can you please run a kohana 3.1 and kohana 3.2 site side by side on the same server and see the difference in the header?

I have expose_php settings on (as always) and I just upgraded one of my site to KO 3.2 and started having duplicate header problem for X-Powered-By header.

Regarding your quote that nothing is changed in that regard is not true, please see classes/kohana/response.php and you will see indeed a visible changes in the way header logic.

Yes the header logic with regards to header processing has changed. But the X-Powered-By header is set the same way using the php header() native function.

I have testing this locally and when the expose_php setting is on, PHP overrides the X-Powered-By header with it's own. If setting is off then Kohana reports it's version. Given there is only one way to set this header, this is an environment issue.

BUT more important.ly Why are you exposing Kohana and PHP when they both use the same HTTP header? This will have unpredictable results! If you want to expose Kohana turn off expose_php.

After further investigation (I have created an environment similar to yours, PHP 5.3.2 and Nginx 0.7) I have replicated this issue. Seems PHP now appends the X-Powered-By header to the response headers rather than overriding it.

However, after discussing this with the internals team, this issue will remain invalid.

The reason it is remaining invalid is two-fold;

1. If you do not wish PHP to expose itself, you should use the expose_php setting to switch this off. This is the advice also given by the PHP internals team.
2. Sending two X-Powered-By HTTP headers is perfectly valid and allowed within the HTTP specification. Therefore there is no harm in sending them both as long as they do not change the context of the message. Custom HTTP headers should never be able to do this, and certainly it is the case that X-Powered-By is benign.

Thank you very much. I appreciate your time spent on reproducing the issue. Perhaps I need to talk to the guys at php.net further about this issue.

I'm not sure what the intended results are, but this is indeed a behavior change from 3.1.x. Before Kohana 3.2, we always replaced headers, so the Kohana x-powered-by header would replace the php one. However in Kohana 3.2+ we append headers instead of replacing them, so you get both Kohana and php's x-powered-by headers.

You can pass TRUE into the send_headers() call in your index.php file if you'd like to have the 3.1 behavior of always replacing headers.

echo Request::factory()
    ->execute()
    ->send_headers(TRUE)
    ->body();

The 3.2 implementation was designed to append all headers unless you specify otherwise, so that Set-Cookie could be defined multiple times for example. The current behaviour is expected behaviour.

nope

nope.