php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #35076 Sometimes the log file shows: The session id contains illegal characters, ..etc
Submitted: 2005-11-03 02:27 UTC Modified: 2005-11-07 02:34 UTC
From: vincent_f40 at hotmail dot com Assigned:
Status: Not a bug Package: Session related
PHP Version: 5CVS-2005-11-05 (snap) OS: Linux RHEL4, 2.6.9-11.ELsmp
Private report: No CVE-ID: None
 [2005-11-03 02:27 UTC] vincent_f40 at hotmail dot com
Description:
------------
[Thu Nov  3 00:49:10 2005] [error] PHP Warning:  session_start() [<a href='function.session-start'>function.session-start</a>]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/httpd/html/includes/session_init.inc on line 70
[Thu Nov  3 00:49:11 2005] [error] PHP Warning:  Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
[Thu Nov  3 00:49:11 2005] [error] PHP Warning:  Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0

1) Cant reproduce the errors. As the site works fine, only sometimes the above error appears in the log files.
2) session_write_close() is being used.
3) session_name() uses only the characters [a-z].
4) As the site works /tmp is oke as well.(perms, etc.)
5) There is enough free disk space in /tmp as well.

a) using apache 1.3.34, php compiled as module(apxs)
b) Kernel: 2.6.9-11.ELsmp (double processor)

Is this a bug or a php programming error ?
As it happens not always, just random/sometimes.

Search the net for hours...no luck in finding the explanation. Hope to find some clue here.

Thanks.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2005-11-05 01:00 UTC] vincent_f40 at hotmail dot com
Hi Sniper,

Oki...and what about my initial error. The error down here:
Is this then a know issue and will be solved in the latest php release ?

Thu Nov  3 00:49:10 2005] [error] PHP Warning:  session_start() [<a
href='function.session-start'>function.session-start</a>]: The session
id contains illegal characters, valid characters are a-z, A-Z, 0-9 and
'-,' in /home/httpd/html/includes/session_init.inc on line 70
[Thu Nov  3 00:49:11 2005] [error] PHP Warning:  Unknown: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
in Unknown on line 0
[Thu Nov  3 00:49:11 2005] [error] PHP Warning:  Unknown: Failed to
write session data (files). Please verify that the current setting of
session.save_path is correct () in Unknown on line 0

Thanks,
Vince.
 [2005-11-05 12:42 UTC] sniper@php.net
Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

And ignore the PEAR errors. (just add --without-pear to your configure line)
 [2005-11-05 19:23 UTC] vincent_f40 at hotmail dot com
Hi Sniper,

Downloaded the latest PHP from your link. Installed it with the option: --without-pear.
Everything installed Ok.

But the errors keep appearing...any ideas?

Thanks,
Vince
 [2005-11-05 21:58 UTC] vincent_f40 at hotmail dot com
file: config.inc
<?php
$conf['session_name'] = "somename";
$conf['session_init'] = "session_init.inc";
$conf['domain'] = ".domain.com";
?>

file: session_init.inc
<?php
function a(){
  some code
}
session_name($conf['session_name']);
session_start();

if else statements

if (!$_COOKIE['wid']) {
    setcookie("wid", $_GET['wid'], time()+(3600 * 24 *365), "/" , $conf['domain']);
}

?>

file: index.php
<?php
require_once("config.inc");
require_once($conf['session_init']);

html webpage code
?>

I am not able to reproduce the error. The error just appears sometimes in the log files...But basicly this is the setup.
Some pages we use frames...but I guess that should not be a problem.

Thanks,
Vince
 [2005-11-05 23:29 UTC] sniper@php.net
So what IS passed to server when this happens? What is the session id? Are you sure someone just isn't trying to hack your service with some random generated ID's and just doesn't know that some chars are not allowed?
 [2005-11-06 00:14 UTC] vincent_f40 at hotmail dot com
Hi Sniper,

Thank you for your reply.

I have no idea what IS passed to the server(what can be passed?). I am just somehow getting these errors appearing arround 2-3 times a hour. Nothing more it says...(just as I copy and pasted the error down here)
Also nothing about the session_id... As you can see in the error I copy and pasted.
We use cookies for the sessions(we do not use session id in the link)...dont know if there is a way to hack our service in this way...with some random session_id...but then I should see these errors appear a lot more I guess...

Any clue ? Do I need to switch to a more verbose error logging...

Thanks,
Vince
 [2005-11-06 04:02 UTC] sniper@php.net
Please ask your administrator to check the httpd access log and compare the times there with the error time here.

This is not a PHP bug.

 [2005-11-07 02:34 UTC] vincent_f40 at hotmail dot com
Hi Sniper,

Compared the httpd access log file with the error times, from this bug-post. There are not so much entries on those times and nothing looks weird.

If your sure this is not a bug, could you point out a page where this problem is explained ?

Thanks,
Vince
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Mon Jul 26 01:01:23 2021 UTC