Description:
------------
If session cookie is an empty string, PHP gives the following warning: "Warning:  session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'".

Worst case scenario: If the user sets the session id to an empty string manually in their browser and php errors are displayed, the page will break (could not start session, headers already sent by warning message, etc.).

Normal scenario: display_errors is disabled, so this will only clutter the error log with an unnecessary warning.

In my case I have session.use_only_cookies enabled and I work around the issue with the following code:
<?php
if (isset($_COOKIE[session_name()]) && $_COOKIE[session_name()] === '')
{
	# PHP will throw a warning if session cookie is an empty string
	# workaround: delete cookie if set to empty string
	setcookie(session_name(), '', time()-42000, '/');
	unset($_COOKIE[session_name()]);
}
?>

Reproduce code:
---------------
I used jQuery with a cookie addon to set the cookie to an empty string (was actually trying to delete the cookie), but the same could be simulated with the following 2 lines of PHP:

<?php
$_COOKIE[session_name()] = '';
session_start();
?>

You also get the same using GET (eg. "localhost/index.php?PHPSESSID=", remember to delete any old cookies before trying this or it won't work)

<?php
session_start();
?>


Expected result:
----------------
No warning since session ID is empty and PHP should be smart enough to realise that this means that the session id has not been generated yet.

Actual result:
--------------
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in F:\htdocs\index.php on line 9