php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #64344 Option to suppress illegal session id warnings
Submitted: 2013-03-04 01:34 UTC Modified: 2013-03-04 03:27 UTC
From: nick at noodles dot net dot nz Assigned:
Status: Wont fix Package: Session related
PHP Version: 5.4.12 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: nick at noodles dot net dot nz
New email:
PHP Version: OS:

 

 [2013-03-04 01:34 UTC] nick at noodles dot net dot nz 
Description:
------------
We have a few users a day trying to inject things into their PHPSESSID cookie for some reason. When they request a page on our site with session_start() PHP generates a warning "session_start(): The session id is too long or contains illegal characters".

This is a redundant message as PHP recovers and resets the PHPSESSID to a legal one. It would be great to see a session.warn_illegal_id (or similar) option to suppress these warnings.

Test script:
---------------
Set cookie PHPSESSID to 1747d33a3556d5bf141706eb271bf972,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,JSESSIONID=20AB177A036A09CB0B9D58D19589529C,ASPSESSIONIDASBCCDAQ=MNEJOAJBPCMLMPEDCMFCKGKL,JSESSIONID=UZBDOYZSUXNZCCUUCAZSFFA

Request a page with session_start();

Expected result:
----------------
I expect session_start() to fail quietly and regenerate the PHPSESSID to a valid value.

Actual result:
--------------
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-04 02:42 UTC] laruence@php.net 
why not 
@session_start
 [2013-03-04 02:45 UTC] nick at noodles dot net dot nz 
@session_start would suppress all errors/warnings. There might be an instance 
where my session store (memcache) may not be working correctly or may be 
inaccessible and I wouldn't want to stop those messages.
 [2013-03-04 03:27 UTC] laruence@php.net
-Status: Open +Status: Wont fix
 [2013-03-04 03:27 UTC] laruence@php.net 
I hope you understand.
we will not add that many options to disable every kind of warning message.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sun Nov 02 16:00:01 2025 UTC