php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #66827 session_start generates PHP Notice if session cookie contains array
Submitted: 2014-03-05 15:07 UTC Modified: 2014-07-18 05:32 UTC
Votes:5
Avg. Score:3.2 ± 1.8
Reproduced:3 of 4 (75.0%)
Same Version:1 (33.3%)
Same OS:2 (66.7%)
From: spam at krol dot me Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 5.5.9 OS: osx
Private report: No CVE-ID:
 [2014-03-05 15:07 UTC] spam at krol dot me
Description:
------------
If session cookie contains array instead of session_id string, on session_start() call PHP Notice is generated.

Test script:
---------------
<?php

$sessionName = "PHPSESSID";
session_name($sessionName);

$_COOKIE[$sessionName]['key'] = 'value';

session_start();

Expected result:
----------------
false

Actual result:
--------------
PHP Notice:  Array to string conversion in /private/tmp/session-fail.php on line 8
PHP Stack trace:
PHP   1. {main}() /private/tmp/session-fail.php:0
PHP   2. session_start() /private/tmp/session-fail.php:8
true

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2014-03-06 12:17 UTC] narf at devilix dot net
That's completely natural, since the cookie value is unserialized by session_start() and you can't unserialize an array(). I wouldn't consider it a bug.
 [2014-03-06 12:28 UTC] spam at krol dot me
If malformed cookie can cause application error i would consider this as a bug.
Maybe at least is_string check before unserialize?
If not I think this can be closed.
 [2014-03-06 12:36 UTC] narf at devilix dot net
Hmm, I guess you do have a point in that, although I'm not sure how $_COOKIE itself is populated.
 [2014-03-06 13:04 UTC] patryk dot kozlowski at toxic-software dot pl
Many developers consider sessions as internal PHP mechanism and don't bother to check for session id malformation. If you want to keep this 'call session_start & play' standard, this bug definitely need a fix (as spam mentioned: is_string will do the job).

For now you can trigger PHP_Notice error on many PHP websites (including ZF based) by executing one-line JavaScript code.
 [2014-07-06 02:27 UTC] yohgaki@php.net
-Status: Open +Status: Assigned -Assigned To: +Assigned To: yohgaki
 [2014-07-17 06:17 UTC] yohgaki@php.net
Not only $_COOKIE, but also $_GET/$_POST could be used to raise errors.
OS does not matter and affects all versions.
 [2014-07-18 05:32 UTC] yohgaki@php.net
I'm going to commit to remove type mismatch E_NOTICE errors. However, the patch will not try to remove offensive cookies, probably.

Depending on cookie precedence, session module's cookie will not be effective. i.e. Users may not get valid session, thus users cannot login/etc.

These malformed cookie are set by JavaScript injections. Developer must fix vulnerability, then remove offensive cookie by their own or ask users to delete cookies.
 [2014-07-19 01:04 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-19 01:04 UTC] yohgaki@php.net
-Status: Assigned +Status: Closed
 [2014-07-19 01:05 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-19 01:05 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-19 01:05 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-21 09:30 UTC] ab@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-21 10:02 UTC] ab@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-22 11:42 UTC] dmitry@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-07-30 09:52 UTC] tyrael@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-10-07 23:13 UTC] stas@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 [2014-10-07 23:24 UTC] stas@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src-security.git;a=commit;h=e946de29d2f337f140780086b0ccefd13e2095ef
Log: Fixed bug #66827 Session raises E_NOTICE when session name variable is array
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Sat Apr 29 11:02:12 2017 UTC