PHP :: Bug #80774 :: session_name() problem with backslash

Bug #80774	session_name() problem with backslash
Submitted:	2021-02-19 09:04 UTC	Modified:	2021-02-19 11:13 UTC
From:	chirpinternet at gmail dot com	Assigned:	cmb (profile)
Status:	Closed	Package:	Session related
PHP Version:	7.3.27	OS:	Debian
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	chirpinternet at gmail dot com
New email:
PHP Version:		OS:

New Comment:

[2021-02-19 09:04 UTC] chirpinternet at gmail dot com

Description:
------------
We have a trait for handling sessions, which includes (abbreviated):

trait SessionOpenCloseTrait {

  protected function open_session($name) {
    session_name($name);
    session_start();
  }

}

Other classes invoke this using __CLASS__ as the $name parameter:

class SecureToken {

  use SessionOpenCloseTrait;

  public function __construct()   {
    $this->open_session(__CLASS__);
  }

}

When namespaced, __CLASS__ contains a backslash (e.g. "Parent\SecureToken").  This has not been a problem until a security upgrade took us from 7.3.19 to 7.3.27.  After the upgrade the SESSION was being written to the server as normal, but no longer accessible on subsequent requests.  *Possibly* due to encoding of the cookie name.

To fix this, we had to remove the '\':

  protected function open_session($name) {
+   $name = str_replace("\\", "", $name);
    session_name($name);
    session_start();
  }

Patches

Pull Requests

Pull requests:

Fix #80774: session_name() problem with backslash (php-src/6711)

History

AllCommentsChangesGit/SVN commitsRelated reports

[2021-02-19 11:13 UTC] cmb@php.net

-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb

[2021-02-19 11:13 UTC] cmb@php.net

Thanks for reporting!

This regression has been introduced by the fix for bug #79699,
because cookie names are no longer URL decoded, but session_name()
still URL encodes the session name.

Note that PHP 7.3 is out of active support, so this will not be
fixed for that version.

[2021-02-19 12:25 UTC] cmb@php.net

The following pull request has been associated:

Patch Name: Fix #80774: session_name() problem with backslash
On GitHub:  https://github.com/php/php-src/pull/6711
Patch:      https://github.com/php/php-src/pull/6711.patch

[2021-02-22 11:38 UTC] cmb@php.net

Automatic comment on behalf of cmbecker69@gmx.de
Revision: http://git.php.net/?p=php-src.git;a=commit;h=d7c98ca1ac10ee0461f332f21e548649dc0e51c9
Log: Fix #80774: session_name() problem with backslash

[2021-02-22 11:38 UTC] cmb@php.net

-Status: Verified +Status: Closed

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Nov 21 22:01:28 2024 UTC