I have a cookie that is set by a web app.  When I read the cookie from inside EE, it is slightly different.

The contents of the cookie as shown below are
[array position] => character data echoed out—(ascii value as determined by php’s ORD function)

The cookie that is set by the external application, and also read back from a page completely external to EE:

[0] => g—(asc 103)
[1] => h—(asc 104)
[2] => X—(asc 88)
[3] => B—(asc 66)
[4] => 6—(asc 54)
[5] => g—(asc 103)
[6] => p—(asc 112)
[7] => t—(asc 116)
[8] => w—(asc 119)
[9] => V—(asc 86)
[10] => y—(asc 121)
[11] => X—(asc 88)
[12] => M—(asc 77)
[13] => Y—(asc 89)
[14] => w—(asc 119)
[15] => D—(asc 68)
[16] => t—(asc 116)
[17] => 2—(asc 50)
[18] => 5—(asc 53)
[19] => A—(asc 65)
[20] => f—(asc 102)
[21] => m—(asc 109)
[22] => 2—(asc 50)
[23] => z—(asc 122)
[24] => L—(asc 76)
[25] => 6—(asc 54)
[26] => 6—(asc 54)
[27] => J—(asc 74)
[28] => L—(asc 76)
[29] => p—(asc 112)
[30] => s—(asc 115)
[31] => A—(asc 65)
[32] => 6—(asc 54)
[33] => V—(asc 86)
[34] => v—(asc 118)
[35] => F—(asc 70)
[36] => X—(asc 88)
[37] => 2—(asc 50)
[38] => w—(asc 119)
[39] => 8—(asc 56)
[40] => H—(asc 72)
[41] => 1—(asc 49)
[42] => H—(asc 72)
[43] => 4—(asc 52)
[44] => h—(asc 104)
[45] => L—(asc 76)
[46] => 2—(asc 50)
[47] => L—(asc 76)
[48] => c—(asc 99)
[49] => h—(asc 104)
[50] => b—(asc 98)
[51] => h—(asc 104)
[52] => b—(asc 98)
[53] => 0—(asc 48)
[54] => W—(asc 87)
[55] => V—(asc 86)
[56] => r—(asc 114)
[57] => 3—(asc 51)
[58] => i—(asc 105)
[59] => e—(asc 101)
[60] => P—(asc 80)
[61] => t—(asc 116)
[62] => I—(asc 73)
[63] => V—(asc 86)
[64] => Z—(asc 90)
[65] => h—(asc 104)
[66] => 1—(asc 49)
[67] => v—(asc 118)
[68] => 1—(asc 49)
[69] => k—(asc 107)
[70] => a—(asc 97)
[71] => A—(asc 65)
[72] => T—(asc 84)
[73] => s—(asc 115)
[74] => g—(asc 103)
[75] => /—(asc 47)
[76] => s—(asc 115)
[77] => e—(asc 101)
[78] => v—(asc 118)
[79] => Z—(asc 90)
[80] => w—(asc 119)
[81] => G—(asc 71)
[82] => i—(asc 105)
[83] => U—(asc 85)
[84] => k—(asc 107)
[85] => N—(asc 78)
[86] => Z—(asc 90)
[87] => C—(asc 67)
[88] => v—(asc 118)
[89] => Q—(asc 81)
[90] => K—(asc 75)
[91] => u—(asc 117)
[92] => /—(asc 47)
[93] => w—(asc 119)
[94] => T—(asc 84)
[95] => 4—(asc 52)
[96] => e—(asc 101)
[97] => m—(asc 109)
[98] => Z—(asc 90)
[99] => q—(asc 113)
[100] => s—(asc 115)
[101] => d—(asc 100)
[102] => T—(asc 84)
[103] => b—(asc 98)
[104] => 2—(asc 50)
[105] => f—(asc 102)
[106] => o—(asc 111)
[107] => =—(asc 61)
[108] =>—(asc 9)
[109] => G—(asc 71)
[110] => p—(asc 112)
[111] => o—(asc 111)
[112] => a—(asc 97)
[113] => g—(asc 103)
[114] => j—(asc 106)
[115] => 7—(asc 55)
[116] => T—(asc 84)
[117] => a—(asc 97)
[118] => h—(asc 104)
[119] => E—(asc 69)
[120] => =—(asc 61)

The cookie that is read back from inside an expression engine template using $_COOKIE:

[0] => g—(asc 103)
[1] => h—(asc 104)
[2] => X—(asc 88)
[3] => B—(asc 66)
[4] => 6—(asc 54)
[5] => g—(asc 103)
[6] => p—(asc 112)
[7] => t—(asc 116)
[8] => w—(asc 119)
[9] => V—(asc 86)
[10] => y—(asc 121)
[11] => X—(asc 88)
[12] => M—(asc 77)
[13] => Y—(asc 89)
[14] => w—(asc 119)
[15] => D—(asc 68)
[16] => t—(asc 116)
[17] => 2—(asc 50)
[18] => 5—(asc 53)
[19] => A—(asc 65)
[20] => f—(asc 102)
[21] => m—(asc 109)
[22] => 2—(asc 50)
[23] => z—(asc 122)
[24] => L—(asc 76)
[25] => 6—(asc 54)
[26] => 6—(asc 54)
[27] => J—(asc 74)
[28] => L—(asc 76)
[29] => p—(asc 112)
[30] => s—(asc 115)
[31] => A—(asc 65)
[32] => 6—(asc 54)
[33] => V—(asc 86)
[34] => v—(asc 118)
[35] => F—(asc 70)
[36] => X—(asc 88)
[37] => 2—(asc 50)
[38] => w—(asc 119)
[39] => 8—(asc 56)
[40] => H—(asc 72)
[41] => 1—(asc 49)
[42] => H—(asc 72)
[43] => 4—(asc 52)
[44] => h—(asc 104)
[45] => L—(asc 76)
[46] => 2—(asc 50)
[47] => L—(asc 76)
[48] => c—(asc 99)
[49] => h—(asc 104)
[50] => b—(asc 98)
[51] => h—(asc 104)
[52] => b—(asc 98)
[53] => 0—(asc 48)
[54] => W—(asc 87)
[55] => V—(asc 86)
[56] => r—(asc 114)
[57] => 3—(asc 51)
[58] => i—(asc 105)
[59] => e—(asc 101)
[60] => P—(asc 80)
[61] => t—(asc 116)
[62] => I—(asc 73)
[63] => V—(asc 86)
[64] => Z—(asc 90)
[65] => h—(asc 104)
[66] => 1—(asc 49)
[67] => v—(asc 118)
[68] => 1—(asc 49)
[69] => k—(asc 107)
[70] => a—(asc 97)
[71] => A—(asc 65)
[72] => T—(asc 84)
[73] => s—(asc 115)
[74] => g—(asc 103)
[75] => /—(asc 47)
[76] => s—(asc 115)
[77] => e—(asc 101)
[78] => v—(asc 118)
[79] => Z—(asc 90)
[80] => w—(asc 119)
[81] => G—(asc 71)
[82] => i—(asc 105)
[83] => U—(asc 85)
[84] => k—(asc 107)
[85] => N—(asc 78)
[86] => Z—(asc 90)
[87] => C—(asc 67)
[88] => v—(asc 118)
[89] => Q—(asc 81)
[90] => K—(asc 75)
[91] => u—(asc 117)
[92] => /—(asc 47)
[93] => w—(asc 119)
[94] => T—(asc 84)
[95] => 4—(asc 52)
[96] => e—(asc 101)
[97] => m—(asc 109)
[98] => Z—(asc 90)
[99] => q—(asc 113)
[100] => s—(asc 115)
[101] => d—(asc 100)
[102] => T—(asc 84)
[103] => b—(asc 98)
[104] => 2—(asc 50)
[105] => f—(asc 102)
[106] => o—(asc 111)
[107] => =—(asc 61)
[108] =>—(asc 32)
[109] =>—(asc 32)
[110] =>—(asc 32)
[111] =>—(asc 32)
[112] => G—(asc 71)
[113] => p—(asc 112)
[114] => o—(asc 111)
[115] => a—(asc 97)
[116] => g—(asc 103)
[117] => j—(asc 106)
[118] => 7—(asc 55)
[119] => T—(asc 84)
[120] => a—(asc 97)
[121] => h—(asc 104)
[122] => E—(asc 69)
[123] => =—(asc 61)

What is EE doing to change the cookie?

Before I manually go through every element in the array, at which position do changes occur?

Position 108.

And a couple points of clarification…

Of course the cookie is a string, but I put it into an array in the posting above so that I can see where the change was occuring.

If I edit the index.php of expressionengine (ee/index.php) and try to read the cookie at the very beginning of the file with $_COOKIE[‘temp’], it reads fine.

If I read the cookie at the end of that file (or any place after core.system.php is included in), it’s mangled.

Heh- bit odd.  Any way I can try to replicate on my own install?  Give me the key/array that should break, I’ll try setting it via php outside EE then see what happens when I print it out in a template.  Would that show the breakage?

And what build/version are you running?

(I can see a cookie failing the EE security, but seems odd it would alter it.  Usually generates an error message.)

Hm- and any extensions in play?

No extensions.

I’m attaching an archive with two files: setcookie.php and readcookie.php

Unarchive in your web directory.

Load up setcookie.php in your browser.

Put the contents of readcookie.php at the top of ee/index.php and again at the end of ee/index.php

Load up ee/index.php in your browser.

You will see that you get two different values for the cookie.

This call in core.system.php is what’s changing my cookie:

$IN->fetch_input_data();

From my response to the bug report for this issue:

All input data goes through some minor modifications for both standardization and security.  In this case, tabs are converted in ExpressionEngine 1.x to 4 space characters for a specific issue encountered years ago, and this has continued for legacy support reasons.  2.0 will be the earliest break from this behavior, but a simple hack to core.input.php at the top of the file that will be safe and easy to maintain is to change:

to

And ExpressionEngine will no longer trim whitespace from your input data nor convert tabs to spaces.