Feedback+Questions about Cookie bomb handling

(My1) #1

(did’t know what category to put it in but since it also has feedback I guess I put it there, if there’s a better place, just tell me.)

for starters I have to say that it’s pretty amazing that caddy does not completely break upon setting off a cookie bomb

(e.g. via

var base_domain = document.domain.substr(document.domain.indexOf('.'));
var pollution = Array(4000).join('a');
if(confirm('Should I Cookie Bomb '+base_domain+'?')){
  for(var i=1;i<99;i++){
    document.cookie='bomb'+i+'='+pollution+';Domain='+base_domain;
  }
}

in the browser console)
but i noticed one intresting thing, some cookies didnt to to the site, and upon analying a dump I made the cookie header field was apparently truncated to 65993 characters, which is a quite odd number (it may or may not be PHP, no idea, but also no Idea how to dump the request all at once quickly without PHP).

is caddy doing this or is it php? if it is caddy is there any meaning behind that number?

btw the script I used for dumping:

<?php
$s="";
// add Method and URI
$s.=$_SERVER['REQUEST_METHOD']." ".$_SERVER['REQUEST_URI']."\n\n";

//after that the headers
$headers = apache_request_headers();
foreach ($headers as $header => $value) {
    $s.= "$header: $value\n";
}
$s.="\n";

//Reuqest body

$s.=file_get_contents( 'php://input' );

file_put_contents("_php-dump.log",$s);

?>