php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #36536 Character '|' kill whole sessions
Submitted: 2006-02-26 18:40 UTC Modified: 2006-02-28 02:28 UTC
From: dave at dgx dot cz Assigned:
Status: Not a bug Package: Session related
PHP Version: * OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: dave at dgx dot cz
New email:
PHP Version: OS:

 

 [2006-02-26 18:40 UTC] dave at dgx dot cz
Description:
------------
If any session key contains character '|', the whole session will not be saved (and will be erased!)



Reproduce code:
---------------
<?php

session_start();

$_SESSION['La'] = 'Trine';
$_SESSION['a|b'] = 'the killer';

session_write_close();

// test

session_start();
var_dump($_SESSION);


?>

Expected result:
----------------
array(2) {
  ["La"]=>
  string(5) "Trine"
  ["a|b"]=>
  string(10) "the killer"
}


Actual result:
--------------
PHP 4.3.9-4.4.2 & 5.0.2-5.1.2

array(0) {
}

PHP 5.0.0-5.0.1 and previous PHP4

array(3) {
  ["La"]=>
  string(5) "Trine"
  ["a"]=>
  NULL
  ["b"]=>
  string(10) "the killer"
}




Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2006-02-26 18:59 UTC] helly@php.net
.
 [2006-02-28 02:28 UTC] dave at dgx dot cz
Sorry, my mistake.

http://www.php.net/session says "The keys in the $_SESSION associative
array are subject to the same limitations as regular variable names in
PHP, i.e. they cannot start with a number..."
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Mar 29 09:01:28 2024 UTC