php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #33786 $_SESSION not saving when an element's index contains pipe '|' character
Submitted: 2005-07-20 13:23 UTC Modified: 2014-01-04 00:05 UTC
Votes:9
Avg. Score:3.7 ± 0.9
Reproduced:5 of 5 (100.0%)
Same Version:1 (20.0%)
Same OS:1 (20.0%)
From: simon dot bettison at blueyonder dot co dot uk Assigned: arpad
Status: Closed Package: Session related
PHP Version: 5.1.0b3 OS: Gentoo Linux
Private report: No CVE-ID:
 [2005-07-20 13:23 UTC] simon dot bettison at blueyonder dot co dot uk
Description:
------------
A script registers a variable in $_SESSION using and index value which contains a pipe ("|"), 

ie 
$index = "some|index";
$_SESSION[$index]="some variable";

I expected this variable (and any other variables registered in $_SESSION) to be stored, and made available to other script(s) executed in the same session for the lifetime of the session cookie.

However, subseqent access to $_SESSION indicates that the $_SESSION variable contains no data at all.

This only seems to occur following the use of the pipe ("|") character in the element's index.


Reproduce code:
---------------
<?php

        session_start();

        print_r($_SESSION);
        $_SESSION["some|variable"]="some value";
        print_r($_SESSION);

?>


Expected result:
----------------
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( [some|variable] => some value ) Array ( [some|variable] => some value )


Actual result:
--------------
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( ) Array ( [some|variable] => some value )



Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-07-20 13:37 UTC] sniper@php.net
| is not allowed in variable names. (yes, I know you can use it in array indexes, but $_SESSION is special in many ways)

 [2011-08-19 15:09 UTC] lgandras at gmail dot com
May i ask why isn't the full session just serialized like a normal array?
 [2011-08-19 18:41 UTC] arpad@php.net
It's an artifact of register_globals/session_register, could be fixed now 
that they're gone and I wrote a patch to do so a couple of years ago but 
some issues emerged and I haven't got around to addressing them yet.

If you raise a feature request someone else may get to it sooner.
 [2011-08-20 00:59 UTC] arpad@php.net
-Status: Bogus +Status: Open -Type: Bug +Type: Feature/Change Request -Assigned To: +Assigned To: arpad
 [2011-10-04 22:39 UTC] tkllingenberg at lastflood dot net
I assume this is because the serialized form of sessions (as for the PHP serialization handler) contains the pipe character "|" as a separator between variable names.

The pipe example:

<?php
    $_SESSION['a|b'] = 'c';
    echo session_encode(); # '' - empty string
?>

I assume this, because other illegal variable names, like a variable starting with a number, _are_ possible, for example:

<?php
    $_SESSION['0a'] = '1a';
    echo session_encode(); # '0a|s:2:"1a";'
?>

If you change the session serialize-handler to "php_binary" (was: "php" in the exmaples above), this might already work (returns values containing the data in both cases).

Tested against PHP 5.3.8.
 [2013-07-09 15:01 UTC] boolie2051 at hotmail dot co dot uk
Can someone explain why| is not allowed in variable names but it is in array indexes.
 [2014-01-03 23:30 UTC] charles dot capps at gmail dot com
http://us2.php.net/manual/en/session.configuration.php#ini.session.serialize-handler

As of 5.5.4, a new session serializer, "php_serialize", is available.  It uses the normal plain vanilla PHP serialize function instead of the weird pipe-delimited nonsense, thus allowing pipes to appear in session keys.
 [2014-01-04 00:05 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2014-01-04 00:05 UTC] yohgaki@php.net
Use php_serialize save handler as previous comment.

php save handler has limitations that are originated from global session variable support. Characters that cannot be variables names cannot be used as session var names with php save handler.
 
PHP Copyright © 2001-2014 The PHP Group
All rights reserved.
Last updated: Thu Apr 24 20:02:09 2014 UTC