php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #7044 Session file created when using bogus SESSIONID
Submitted: 2000-10-05 17:27 UTC Modified: 2000-10-16 14:18 UTC
From: kimmel at tricos dot com Assigned:
Status: Closed Package: Session related
PHP Version: 4.0.2 OS: Windows NT 4 Workstation
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: kimmel at tricos dot com
New email:
PHP Version: OS:

 

 [2000-10-05 17:27 UTC] kimmel at tricos dot com 
I'm using the <?=SID?> feature to automatically append the corresponding session ID to every link, so that no cookies are required to use the site.

A sample URL as visible on the browser?s address bar:
http://webtest/human_resources.phtml?SESSIONID=cca7f03abde2c33077df25999850d6dc

Now if I change the SESSIONID parameter to something really stupid PHP simply creates a file with exactly that name regardless if a session with that SESSIONID has never been created before by session_start():

http://webtest/human_resources.phtml?SESSIONID=stupidsessionid

creates the file "sessstupidsessionid" in the session directory.

Why?
This way someone could fill up the whole directory!

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2000-10-05 19:28 UTC] kimmel at tricos dot com 
JFYI: I'm using IIS/PWS (SP5) with the PHP CGI version.
 [2000-10-05 20:20 UTC] kimmel at tricos dot com 
JFYI: I'm using IIS/PWS (SP5) with the PHP CGI version.
 [2000-10-16 14:18 UTC] sas@php.net 
That is comparable to having many visitors to your site.
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Sat Jul 12 18:01:32 2025 UTC