php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #64344 Option to suppress illegal session id warnings
Submitted: 2013-03-04 01:34 UTC Modified: 2013-03-04 03:27 UTC
From: nick at noodles dot net dot nz Assigned:
Status: Wont fix Package: Session related
PHP Version: 5.4.12 OS: All
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: nick at noodles dot net dot nz
New email:
PHP Version: OS:

 

 [2013-03-04 01:34 UTC] nick at noodles dot net dot nz 
Description:
------------
We have a few users a day trying to inject things into their PHPSESSID cookie for some reason. When they request a page on our site with session_start() PHP generates a warning "session_start(): The session id is too long or contains illegal characters".

This is a redundant message as PHP recovers and resets the PHPSESSID to a legal one. It would be great to see a session.warn_illegal_id (or similar) option to suppress these warnings.

Test script:
---------------
Set cookie PHPSESSID to 1747d33a3556d5bf141706eb271bf972,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,JSESSIONID=20AB177A036A09CB0B9D58D19589529C,ASPSESSIONIDASBCCDAQ=MNEJOAJBPCMLMPEDCMFCKGKL,JSESSIONID=UZBDOYZSUXNZCCUUCAZSFFA

Request a page with session_start();

Expected result:
----------------
I expect session_start() to fail quietly and regenerate the PHPSESSID to a valid value.

Actual result:
--------------
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2013-03-04 02:42 UTC] laruence@php.net 
why not 
@session_start
 [2013-03-04 02:45 UTC] nick at noodles dot net dot nz 
@session_start would suppress all errors/warnings. There might be an instance 
where my session store (memcache) may not be working correctly or may be 
inaccessible and I wouldn't want to stop those messages.
 [2013-03-04 03:27 UTC] laruence@php.net
-Status: Open +Status: Wont fix
 [2013-03-04 03:27 UTC] laruence@php.net 
I hope you understand.
we will not add that many options to disable every kind of warning message.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 11:01:34 2025 UTC