php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68063 Empty session IDs do still start sessions
Submitted: 2014-09-20 11:15 UTC Modified: 2016-01-15 01:57 UTC
Votes:17
Avg. Score:3.9 ± 1.1
Reproduced:15 of 16 (93.8%)
Same Version:7 (46.7%)
Same OS:4 (26.7%)
From: mail at thomasbachem dot com Assigned: yohgaki
Status: Closed Package: Session related
PHP Version: 5.5.17 OS:
Private report: No CVE-ID:
 [2014-09-20 11:15 UTC] mail at thomasbachem dot com
Description:
------------
If an empty session ID is given to PHP (e.g. a cookie with "PHPSESSID=; path=/" or simply by calling "session_id('')"), session_start() will throw an E_WARNING error from the default session handler ("session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'") but still returns true and starts a session.

Now session_id() returns '' (the manual states this only happens if there is no current session), but the session was still started, and custom session save handlers are given an empty session ID. If they don't handle that case, a session handler may then actually save session data for an empty session ID. Even the examples from the manual (http://php.net/manual/en/function.session-set-save-handler.php) don't check for an empty session ID.

Test script:
---------------
<?php

// Could also be set with a cookie like "PHPSESSID=; path=/"
session_id('');

// Will still start the session and return true
var_dump(session_start());

// Returns an empty string
var_dump(session_id());

Expected result:
----------------
I would expect session_start() to regenerate a session ID OR to fail, return false and not trigger any session save handlers.

Actual result:
--------------
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in emptysession.php on line 5

boolean true

string '' (length=0)

Warning: Unknown: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0

Patches

bug68063.patch (last revision 2016-01-12 22:28 UTC) by yohgaki@php.net)

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-03 04:51 UTC] yohgaki@php.net
Automatic comment on behalf of yohgaki
Revision: http://git.php.net/?p=php-src.git;a=commit;h=853ae39d6ea6a4d2ce95098744e481a1e8573ad8
Log: Fixed bug #68063 Empty session IDs do still start sessions
 [2015-02-03 04:51 UTC] yohgaki@php.net
-Status: Open +Status: Closed
 [2015-06-29 21:26 UTC] yohgaki@php.net
-Status: Closed +Status: Re-Opened -Assigned To: +Assigned To: yohgaki
 [2015-06-29 21:26 UTC] yohgaki@php.net
It seems I shouldn't raise error here.
Some clients send empty session ID sometimes in rare case. It's probably due to race condition by session_regenerate_id(true). I got report this case from more than 10k RPM site.

One possible solution is create new session ID automatically when session ID is empty. 

Another possible resolution is to implement lazy destruction of session data and not deleting old session ID immediately. Related to https://bugs.php.net/bug.php?id=69127

Re-opened this bug for the time being.
 [2015-12-29 00:32 UTC] yohgaki@php.net
-Status: Re-Opened +Status: Analyzed
 [2016-01-12 22:27 UTC] yohgaki@php.net
Fix is committed already, but it's not appropriate.

	if (PS(id) && !strlen(PS(id))) {
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID");
		RETURN_FALSE;
	}

The reason why session ID became empty is browser's cookie handling. To workaround this, session module should keep old session ID for a while. 

https://wiki.php.net/rfc/precise_session_management

Session module should not raise error, but generate new when session ID cookie became empty.
 [2016-01-12 22:28 UTC] yohgaki@php.net
The following patch has been added/updated:

Patch Name: bug68063.patch
Revision:   1452637734
URL:        https://bugs.php.net/patch-display.php?bug=68063&patch=bug68063.patch&revision=1452637734
 [2016-01-15 01:32 UTC] yohgaki@php.net
-Status: Analyzed +Status: Closed
 [2016-01-15 01:32 UTC] yohgaki@php.net
http://git.php.net/?p=php-src.git;a=commitdiff;h=8c37a086c78a66517967fcb809fb53297becfe42

Improved fix that ignores empty session ID is committed.
 [2016-01-15 01:57 UTC] yohgaki@php.net
To resolve this issue fully, previously mentioned RFC must be implemented and used. Otherwise, users may experience random session reset on occasion.
 
PHP Copyright © 2001-2017 The PHP Group
All rights reserved.
Last updated: Wed Apr 26 19:01:43 2017 UTC