PHP :: Bug #71243 :: session_start() returns true, even for invalid session ids

Bug #71243

session_start() returns true, even for invalid session ids

Submitted:

2015-12-30 10:14 UTC

Modified:

2016-01-12 21:52 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

maggus dot staab at googlemail dot com

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

Irrelevant

OS:

Ubuntu12 lts

Private report:

CVE-ID:

None

View Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	maggus dot staab at googlemail dot com
New email:
PHP Version:		OS:

New/Additional Comment:

[2015-12-30 10:14 UTC] maggus dot staab at googlemail dot com

Description:
------------
session_start() returns true, even if the configured session_id() is invalid.

This is similar to https://bugs.php.net/bug.php?id=65795 but I guess the cause is different.

Test script:
---------------
https://3v4l.org/HXRoR

session_id('öäü');
var_dump(session_start());

Expected result:
----------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(false)

Actual result:
--------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(true)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-30 13:05 UTC] laruence@php.net

-Assigned To: +Assigned To: yohgaki

[2015-12-31 00:32 UTC] yohgaki@php.net

-Status: Assigned +Status: Analyzed

[2015-12-31 00:32 UTC] yohgaki@php.net

@maggus Thank you for the report.
The cause is different. The cause is 

static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)

is not returning status properly.

Many session internal functions were written w/o return values originally. It's time for cleanup to fix these issues. Some of them will be only for PHP 7.1 as PHPAPI needs changes.

[2015-12-31 00:56 UTC] yohgaki@php.net

I have to change this function's signature

PHPAPI void php_session_start(TSRMLS_D)

Fix will be only for 7.1 and later.

[2015-12-31 01:18 UTC] yohgaki@php.net

I have to kill broken save handler implementations also. i.e. BC

static void php_session_initialize(TSRMLS_D
**SNIP**
	if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == FAILURE) {
		/* Some broken save handler implementation returns FAILURE for non-existent session ID */
		/* It's better to raise error for this, but disabled error for better compatibility */
		/*
		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Failed to read session data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
		*/
	}

[2016-01-12 21:51 UTC] yohgaki@php.net

Bug #71122 is fixed and this bug is also fixed on PHP 7.0 and later.

[2016-01-12 21:52 UTC] yohgaki@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Oct 30 22:00:01 2025 UTC