|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #33786 $_SESSION not saving when an element's index contains pipe '|' character
Submitted: 2005-07-20 13:23 UTC Modified: 2014-01-04 00:05 UTC
Avg. Score:3.7 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:1 (20.0%)
From: simon dot bettison at blueyonder dot co dot uk Assigned: arpad
Status: Closed Package: Session related
PHP Version: 5.1.0b3 OS: Gentoo Linux
Private report: No CVE-ID:
 [2005-07-20 13:23 UTC] simon dot bettison at blueyonder dot co dot uk
A script registers a variable in $_SESSION using and index value which contains a pipe ("|"), 

$index = "some|index";
$_SESSION[$index]="some variable";

I expected this variable (and any other variables registered in $_SESSION) to be stored, and made available to other script(s) executed in the same session for the lifetime of the session cookie.

However, subseqent access to $_SESSION indicates that the $_SESSION variable contains no data at all.

This only seems to occur following the use of the pipe ("|") character in the element's index.

Reproduce code:


        $_SESSION["some|variable"]="some value";


Expected result:
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( [some|variable] => some value ) Array ( [some|variable] => some value )

Actual result:
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( ) Array ( [some|variable] => some value )


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-20 13:37 UTC]
| is not allowed in variable names. (yes, I know you can use it in array indexes, but $_SESSION is special in many ways)

 [2011-08-19 15:09 UTC] lgandras at gmail dot com
May i ask why isn't the full session just serialized like a normal array?
 [2011-08-19 18:41 UTC]
It's an artifact of register_globals/session_register, could be fixed now 
that they're gone and I wrote a patch to do so a couple of years ago but 
some issues emerged and I haven't got around to addressing them yet.

If you raise a feature request someone else may get to it sooner.
 [2011-08-20 00:59 UTC]
-Status: Bogus +Status: Open -Type: Bug +Type: Feature/Change Request -Assigned To: +Assigned To: arpad
 [2011-10-04 22:39 UTC] tkllingenberg at lastflood dot net
I assume this is because the serialized form of sessions (as for the PHP serialization handler) contains the pipe character "|" as a separator between variable names.

The pipe example:

    $_SESSION['a|b'] = 'c';
    echo session_encode(); # '' - empty string

I assume this, because other illegal variable names, like a variable starting with a number, _are_ possible, for example:

    $_SESSION['0a'] = '1a';
    echo session_encode(); # '0a|s:2:"1a";'

If you change the session serialize-handler to "php_binary" (was: "php" in the exmaples above), this might already work (returns values containing the data in both cases).

Tested against PHP 5.3.8.
 [2013-07-09 15:01 UTC] boolie2051 at hotmail dot co dot uk
Can someone explain why| is not allowed in variable names but it is in array indexes.
 [2014-01-03 23:30 UTC] charles dot capps at gmail dot com

As of 5.5.4, a new session serializer, "php_serialize", is available.  It uses the normal plain vanilla PHP serialize function instead of the weird pipe-delimited nonsense, thus allowing pipes to appear in session keys.
 [2014-01-04 00:05 UTC]
-Status: Assigned +Status: Closed
 [2014-01-04 00:05 UTC]
Use php_serialize save handler as previous comment.

php save handler has limitations that are originated from global session variable support. Characters that cannot be variables names cannot be used as session var names with php save handler.
PHP Copyright © 2001-2015 The PHP Group
All rights reserved.
Last updated: Tue Dec 01 16:01:38 2015 UTC