php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #27688 Session names consisting of only numbers cause session id generation
Submitted: 2004-03-25 00:00 UTC Modified: 2005-07-30 10:45 UTC
Votes:3
Avg. Score:4.3 ± 0.9
Reproduced:3 of 3 (100.0%)
Same Version:0 (0.0%)
Same OS:1 (33.3%)
From: ryan at daelibs dot com dot au Assigned:
Status: Closed Package: Documentation problem
PHP Version: 5CVS, 4CVS (2005-01-10) OS: *
Private report: No CVE-ID: None
View Developer Edit
 [2004-03-25 00:00 UTC] ryan at daelibs dot com dot au 
Description:
------------
When you use a session name that has only numbers, each call to session_start seems to regenerate a new session id, so the session does not persist.

The code below can be loaded and refreshed to reproduce the behaviour


Reproduce code:
---------------
<?php

//This name works
//session_name('A9');

//This name doesn't
session_name('99');

session_start();

echo 'Session Name: '.session_name().'<br />';
echo 'Session Id: '.session_id().'<br />';
?>

Expected result:
----------------
Session Name: 99
Session Id: {{a sid that remains the same between each refresh }} 

Actual result:
--------------
Session Name: 99
Session Id: {{a different sid each refresh}}

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2004-03-29 04:53 UTC] unknown at simplemachines dot org 
Here's a simple workaround:

<?php

// This name works.
//session_name('A9');

// This name doesn't...
session_name('99');

// Force the last session id, not the detected one.
session_id($_COOKIE[session_name()]);

session_start();

echo '
	Session Name: ', session_name(), '<br />
	Session ID: ', session_id(), '<br />
	Cookie: ', $_COOKIE[session_name()];

?>

Removing the session_id() line though, shows that the cookie is still being properly set.

-[Unknown]
 [2004-03-29 09:39 UTC] amt@php.net 
This happens because PHP turns a numeric session name 
into an array index inside $_COOKIE and we're doing an 
zend_hash_find() instead of a zend_hash_index_find(). 
(ext/session/session.c, line 1098).

We can probably fix the bug by doing a 
zend_hash_index_find() instead if the session name 
successfully converts to a integer.
 [2005-07-29 18:29 UTC] sniper@php.net 
Session name can NOT be a plain number. 
No checks will be added since that'd make the code slower for no real gain.
 [2005-07-29 18:30 UTC] sniper@php.net 
There should be a big fat warning about this in the manual.
 [2005-07-30 10:45 UTC] vrana@php.net 
This bug has been fixed in the documentation's XML sources. Since the
online and downloadable versions of the documentation need some time
to get updated, we would like to ask you to be a bit patient.

Thank you for the report, and for helping us make our documentation better.

"Session name can't consist only from digits, at least one letter must be present. Otherwise new session id is generated every time."
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Mon Dec 01 11:00:02 2025 UTC