PHP :: Request #33786 :: $_SESSION not saving when an element's index contains pipe '|' character

$_SESSION not saving when an element's index contains pipe '|' character

Submitted:

2005-07-20 13:23 UTC

Modified:

2014-01-04 00:05 UTC

Votes:	9
Avg. Score:	3.7 ± 0.9
Reproduced:	5 of 5 (100.0%)
Same Version:	1 (20.0%)
Same OS:	1 (20.0%)

From:

simon dot bettison at blueyonder dot co dot uk

Assigned:

arpad (profile)

Status:

Closed

Package:

Session related

PHP Version:

5.1.0b3

OS:

Gentoo Linux

Private report:

CVE-ID:

None

View Add Comment Developer Edit

Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.

php.net Username: php.net Password:

Quick Fix:	(description)
	Block user comment
Status:		Assign to:
Package:
Bug Type:
Summary:
From:	simon dot bettison at blueyonder dot co dot uk
New email:
PHP Version:		OS:

New/Additional Comment:

[2005-07-20 13:23 UTC] simon dot bettison at blueyonder dot co dot uk

Description:
------------
A script registers a variable in $_SESSION using and index value which contains a pipe ("|"), 

ie 
$index = "some|index";
$_SESSION[$index]="some variable";

I expected this variable (and any other variables registered in $_SESSION) to be stored, and made available to other script(s) executed in the same session for the lifetime of the session cookie.

However, subseqent access to $_SESSION indicates that the $_SESSION variable contains no data at all.

This only seems to occur following the use of the pipe ("|") character in the element's index.


Reproduce code:
---------------
<?php

        session_start();

        print_r($_SESSION);
        $_SESSION["some|variable"]="some value";
        print_r($_SESSION);

?>


Expected result:
----------------
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( [some|variable] => some value ) Array ( [some|variable] => some value )


Actual result:
--------------
First execution:

Array ( ) Array ( [some|variable] => some value )

Second & Subsequent execution

Array ( ) Array ( [some|variable] => some value )

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-07-20 13:37 UTC] sniper@php.net

| is not allowed in variable names. (yes, I know you can use it in array indexes, but $_SESSION is special in many ways)

[2011-08-19 15:09 UTC] lgandras at gmail dot com

May i ask why isn't the full session just serialized like a normal array?

[2011-08-19 18:41 UTC] arpad@php.net

It's an artifact of register_globals/session_register, could be fixed now 
that they're gone and I wrote a patch to do so a couple of years ago but 
some issues emerged and I haven't got around to addressing them yet.

If you raise a feature request someone else may get to it sooner.

[2011-08-20 00:59 UTC] arpad@php.net

-Status: Bogus +Status: Open -Type: Bug +Type: Feature/Change Request -Assigned To: +Assigned To: arpad

[2011-10-04 22:39 UTC] tkllingenberg at lastflood dot net

I assume this is because the serialized form of sessions (as for the PHP serialization handler) contains the pipe character "|" as a separator between variable names.

The pipe example:

<?php
    $_SESSION['a|b'] = 'c';
    echo session_encode(); # '' - empty string
?>

I assume this, because other illegal variable names, like a variable starting with a number, _are_ possible, for example:

<?php
    $_SESSION['0a'] = '1a';
    echo session_encode(); # '0a|s:2:"1a";'
?>

If you change the session serialize-handler to "php_binary" (was: "php" in the exmaples above), this might already work (returns values containing the data in both cases).

Tested against PHP 5.3.8.

[2013-07-09 15:01 UTC] boolie2051 at hotmail dot co dot uk

Can someone explain why| is not allowed in variable names but it is in array indexes.

[2014-01-03 23:30 UTC] charles dot capps at gmail dot com

http://us2.php.net/manual/en/session.configuration.php#ini.session.serialize-handler

As of 5.5.4, a new session serializer, "php_serialize", is available.  It uses the normal plain vanilla PHP serialize function instead of the weird pipe-delimited nonsense, thus allowing pipes to appear in session keys.

[2014-01-04 00:05 UTC] yohgaki@php.net

-Status: Assigned +Status: Closed

[2014-01-04 00:05 UTC] yohgaki@php.net

Use php_serialize save handler as previous comment.

php save handler has limitations that are originated from global session variable support. Characters that cannot be variables names cannot be used as session var names with php save handler.

[2024-04-12 19:47 UTC] sogmik at hotmail dot com

rtuytuytutytutuytut

[2024-04-12 19:48 UTC] future at hotmail dot com

Change to a newer version

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 15:01:28 2024 UTC