php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #40470 Invalid session id should specify actual ID
Submitted: 2007-02-14 00:07 UTC Modified: 2013-08-08 02:56 UTC
From: ceo at l-i-e dot com Assigned: yohgaki (profile)
Status: Wont fix Package: Session related
PHP Version: 5.2.1 OS: *
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: ceo at l-i-e dot com
New email:
PHP Version: OS:

 

 [2007-02-14 00:07 UTC] ceo at l-i-e dot com 
Description:
------------
A message such as this:
[04-Dec-2006 18:21:56] PHP Warning:  Unknown: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0
should be improved to specify the actual invalid ID.

A busy site with many sessions will need that info to trace down the bug quickly.


Expected result:
----------------
Something like this:

[04-Dec-2006 18:21:56] PHP Warning:  Unknown: The session id '$#!^' contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown
on line 0

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2011-02-21 21:15 UTC] jani@php.net
-Package: Feature/Change Request +Package: Session related -Operating System: all +Operating System: *
 [2012-03-31 03:24 UTC] yohgaki@php.net
-Assigned To: +Assigned To: yohgaki
 [2013-08-08 02:56 UTC] yohgaki@php.net
-Status: Assigned +Status: Wont fix
 [2013-08-08 02:56 UTC] yohgaki@php.net 
Writing user inputs to log can be cause of security issues. Invalid session ID 
chars is obvious attack and you should take countermeasure rather than logging 
it.  

Are you using session autostart? If so, I would suggest start session manually, 
register your own error handler that logs IP address when error occurred 
*before* starting session.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sun Apr 28 19:01:28 2024 UTC