|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #68063 Empty session IDs do still start sessions
Submitted: 2014-09-20 11:15 UTC Modified: 2016-01-15 01:57 UTC
Avg. Score:3.9 ± 1.1
Reproduced:15 of 16 (93.8%)
Same Version:7 (46.7%)
Same OS:4 (26.7%)
From: mail at thomasbachem dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 5.5.17 OS:
Private report: No CVE-ID: None
 [2014-09-20 11:15 UTC] mail at thomasbachem dot com
If an empty session ID is given to PHP (e.g. a cookie with "PHPSESSID=; path=/" or simply by calling "session_id('')"), session_start() will throw an E_WARNING error from the default session handler ("session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'") but still returns true and starts a session.

Now session_id() returns '' (the manual states this only happens if there is no current session), but the session was still started, and custom session save handlers are given an empty session ID. If they don't handle that case, a session handler may then actually save session data for an empty session ID. Even the examples from the manual ( don't check for an empty session ID.

Test script:

// Could also be set with a cookie like "PHPSESSID=; path=/"

// Will still start the session and return true

// Returns an empty string

Expected result:
I would expect session_start() to regenerate a session ID OR to fail, return false and not trigger any session save handlers.

Actual result:
Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in emptysession.php on line 5

boolean true

string '' (length=0)

Warning: Unknown: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct () in Unknown on line 0


bug68063.patch (last revision 2016-01-12 22:28 UTC by

Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2015-02-03 04:51 UTC]
Automatic comment on behalf of yohgaki
Log: Fixed bug #68063 Empty session IDs do still start sessions
 [2015-02-03 04:51 UTC]
-Status: Open +Status: Closed
 [2015-06-29 21:26 UTC]
-Status: Closed +Status: Re-Opened -Assigned To: +Assigned To: yohgaki
 [2015-06-29 21:26 UTC]
It seems I shouldn't raise error here.
Some clients send empty session ID sometimes in rare case. It's probably due to race condition by session_regenerate_id(true). I got report this case from more than 10k RPM site.

One possible solution is create new session ID automatically when session ID is empty. 

Another possible resolution is to implement lazy destruction of session data and not deleting old session ID immediately. Related to

Re-opened this bug for the time being.
 [2015-12-29 00:32 UTC]
-Status: Re-Opened +Status: Analyzed
 [2016-01-12 22:27 UTC]
Fix is committed already, but it's not appropriate.

	if (PS(id) && !strlen(PS(id))) {
		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID");

The reason why session ID became empty is browser's cookie handling. To workaround this, session module should keep old session ID for a while.

Session module should not raise error, but generate new when session ID cookie became empty.
 [2016-01-12 22:28 UTC]
The following patch has been added/updated:

Patch Name: bug68063.patch
Revision:   1452637734
 [2016-01-15 01:32 UTC]
-Status: Analyzed +Status: Closed
 [2016-01-15 01:32 UTC];a=commitdiff;h=8c37a086c78a66517967fcb809fb53297becfe42

Improved fix that ignores empty session ID is committed.
 [2016-01-15 01:57 UTC]
To resolve this issue fully, previously mentioned RFC must be implemented and used. Otherwise, users may experience random session reset on occasion.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Tue May 21 06:01:35 2024 UTC