Description:
------------
I have found a problem with using sessions and cookies under PHP 4.3.3, however I have done a brief check using the CVS web interface and I believe the problem may still be present in the latest 4.3.11. A test with PHP 5.0 showed the problem did not exist there.

I was using a buggy client that was accidently sending two "Cookie:" strings containing the PHP session ID to the webserver (Apache 2.0.47) during a form POST to upload a file, and found that PHP was erroring out with the error "The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9". The error disappeared when the Cookie line was sent once as expected.

Digging into the code shows that cookie values retrieved from the SAPI manager were being separated by a comma, whereas the PHP code was looking for a semi-colon and null as separator values.

My fix was to add a comma to the list of separators at the equivalent of line 293 of /main/php_variables.c in PHP 4.3.11, however this is my first look at the PHP source and so there may be a better fix or this may not be correct.


Many thanks,

Mark.


Reproduce code:
---------------
Using a raw telnet session to an Apache WebServer running PHP:

GET / HTTP/1.0
Host: myhost.somewhere.com
Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45
Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45
Cookie: ANOTHER=randomvalue

Expected result:
----------------
No error.

Actual result:
--------------
session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9