PHP :: Bug #42750 :: if session_name contains a dot, a new session is started every request

Bug #42750

if session_name contains a dot, a new session is started every request

Submitted:

2007-09-24 22:28 UTC

Modified:

2007-09-26 17:22 UTC

Votes:	1
Avg. Score:	4.0 ± 0.0
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	1 (100.0%)

From:

dominik dot dorn at gmail dot com

Assigned:

Status:

Not a bug

Package:

Session related

PHP Version:

5.2.4

OS:

Gentoo Linux

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	dominik dot dorn at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2007-09-24 22:28 UTC] dominik dot dorn at gmail dot com

Description:
------------
i was trying to fool a little around and tried to set the
session_name to "MYSITE.NET_SessionID'.

PHP sets a cookie with the name ASP.NET_SessionID
but seems not to read it at the next page request.



Reproduce code:
---------------
I tried this with the session_name("ASP.NET_SessionID"); function
and with setting it thru php.ini
session.name = MYSITE.NET_SessionID

i even tried to surround the text with quotes in php.ini like
session.name = "MYSITE.NET_SessionID"
or
session.name = 'MYSITE.NET_SessionID"

Expected result:
----------------
php reads the session id from the cookie names "MYSITE.NET_SessionID' and then reads the sessiondata with the specified sessionhash

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2007-09-25 09:16 UTC] jani@php.net

It's propably the fact that PHP changes dots in incoming data into _ but I need to investigate a bit.

[2007-09-25 09:58 UTC] jani@php.net

From the manual: "It should contain only alphanumeric characters".
This propably should have some sort of check for invalid chars used in the name.

[2007-09-25 12:08 UTC] dominik dot dorn at gmail dot com

well then it should not even set the cookie with the dot in it, shouldn't it? 

Could it be, that the "only alphanumeric" thing is a relict from the register_globals=on time? 

Even if the manual says, the session_id should only contain alphanumeric characters, it does not say that it has to. 

I think there is a just a simple bug in the method, which reads the session cookie back in, because setting the cookie works. 

thanks for your help

[2007-09-25 14:44 UTC] jani@php.net

Note: register_globals is still there, it's just not enabled by default so we still have to take this dot-issue into count.

[2007-09-26 17:22 UTC] iliaa@php.net

Thank you for taking the time to write to us, but this is not
a bug. Please double-check the documentation available at
http://www.php.net/manual/ and the instructions on how to report
a bug at http://bugs.php.net/how-to-report.php

.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Fri Nov 28 17:00:01 2025 UTC