|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #51127 $_SESSION illogical behaviour
Submitted: 2010-02-23 18:56 UTC Modified: 2013-08-21 02:15 UTC
Avg. Score:4.0 ± 1.5
Reproduced:5 of 5 (100.0%)
Same Version:2 (40.0%)
Same OS:2 (40.0%)
From: asanoki at gmail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.2.12 OS: Linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: asanoki at gmail dot com
New email:
PHP Version: OS:


 [2010-02-23 18:56 UTC] asanoki at gmail dot com
No warning about using not allowed characters as a key in array $_SESSION. It is illogical, and should raise a warning or notice.

In manual it is written that $_SESSION is a superglobal *associative array* ( Additional restrictions to key names are illogical and unintuitive. Why do a session serialization function uses diffrent algorithm than default serialize() php function which works fine in such situations? 

Example. Using | character as a key in $_SESSION array causes damaging a session file (it gets 0 bytes length) without any notice, warning or error. 

I understand that it is mentioned in manual, but it is illogical, unintuitive and should raise at least a warning.

Reproduce code:
/* Here is php code which reproduces this error. Fire it *twice*, and look at output of a *second* execution. */


echo "This was loaded from session:<br />\n";

$_SESSION["a|b"] = "asdasd";

echo "<br />\nThis is written to session:<br />\n";

Expected result:
This was loaded from session:
array(1) { ["a|b"]=> string(6) "asdasd" } 

This is written to session:
array(1) { ["a|b"]=> string(6) "asdasd" } 

Actual result:
This was loaded from session:
array(0) { } 

This is written to session:
array(1) { ["a|b"]=> string(6) "asdasd" } 


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2010-03-02 14:48 UTC]
-Summary: $_SESSION illogical behaviour. +Summary: $_SESSION illogical behaviour -Package: Feature/Change Request +Package: Session related
 [2010-05-12 16:26 UTC]
-Status: Open +Status: Verified
 [2011-02-03 13:09 UTC] cyberdisyan at gmail dot com
I experienced the same bug, and it took's me one week to understand why my all of my session variables was destroyed into our application. 

BUT the strangest think is that the session_id is still good. 

Anyway as asanoki said a Warning notice should be usefull

 [2012-03-26 12:54 UTC] simon at hurix dot de
! (exclamation mark) in the key string is also breaking the whole _SESSION array 
on next hit. I suppose there are some more.
 [2012-03-31 06:39 UTC]
-Assigned To: +Assigned To: yohgaki
 [2012-03-31 06:39 UTC]
Standard serialize will be used as a default serializer handler for next PHP 
release. (e.g. 5.5 or later)
 [2013-08-10 08:03 UTC]
Use php_serialize serialize handler, then you'll not have such issue.

php_serialize is available 5.6 or later.
 [2013-08-21 02:15 UTC]
-Status: Verified +Status: Closed
 [2013-08-21 02:15 UTC]
php_serialize will be available from PHP 5.5.4.
PHP Copyright © 2001-2023 The PHP Group
All rights reserved.
Last updated: Thu Mar 23 07:03:44 2023 UTC