PHP :: Bug #71243 :: session_start() returns true, even for invalid session ids

Bug #71243

session_start() returns true, even for invalid session ids

Submitted:

2015-12-30 10:14 UTC

Modified:

2016-01-12 21:52 UTC

Votes:	1
Avg. Score:	3.0 ± 0.0
Reproduced:	0 of 0 (0.0%)

From:

maggus dot staab at googlemail dot com

Assigned:

yohgaki (profile)

Status:

Closed

Package:

Session related

PHP Version:

Irrelevant

OS:

Ubuntu12 lts

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	maggus dot staab at googlemail dot com
New email:
PHP Version:		OS:

New Comment:

[2015-12-30 10:14 UTC] maggus dot staab at googlemail dot com

Description:
------------
session_start() returns true, even if the configured session_id() is invalid.

This is similar to https://bugs.php.net/bug.php?id=65795 but I guess the cause is different.

Test script:
---------------
https://3v4l.org/HXRoR

session_id('öäü');
var_dump(session_start());

Expected result:
----------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(false)

Actual result:
--------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(true)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2015-12-30 13:05 UTC] laruence@php.net

-Assigned To: +Assigned To: yohgaki

[2015-12-31 00:32 UTC] yohgaki@php.net

-Status: Assigned +Status: Analyzed

[2015-12-31 00:32 UTC] yohgaki@php.net

@maggus Thank you for the report.
The cause is different. The cause is 

static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)

is not returning status properly.

Many session internal functions were written w/o return values originally. It's time for cleanup to fix these issues. Some of them will be only for PHP 7.1 as PHPAPI needs changes.

[2015-12-31 00:56 UTC] yohgaki@php.net

I have to change this function's signature

PHPAPI void php_session_start(TSRMLS_D)

Fix will be only for 7.1 and later.

[2015-12-31 01:18 UTC] yohgaki@php.net

I have to kill broken save handler implementations also. i.e. BC

static void php_session_initialize(TSRMLS_D
**SNIP**
	if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == FAILURE) {
		/* Some broken save handler implementation returns FAILURE for non-existent session ID */
		/* It's better to raise error for this, but disabled error for better compatibility */
		/*
		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Failed to read session data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
		*/
	}

[2016-01-12 21:51 UTC] yohgaki@php.net

Bug #71122 is fixed and this bug is also fixed on PHP 7.0 and later.

[2016-01-12 21:52 UTC] yohgaki@php.net

-Status: Analyzed +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Thu Jan 30 05:01:31 2025 UTC