PHP :: Bug #7044 :: Session file created when using bogus SESSIONID

Bug #7044	Session file created when using bogus SESSIONID
Submitted:	2000-10-05 17:27 UTC	Modified:	2000-10-16 14:18 UTC
From:	kimmel at tricos dot com	Assigned:
Status:	Closed	Package:	Session related
PHP Version:	4.0.2	OS:	Windows NT 4 Workstation
Private report:	No	CVE-ID:	None

View Add Comment Developer Edit

[2000-10-05 17:27 UTC] kimmel at tricos dot com

I'm using the <?=SID?> feature to automatically append the corresponding session ID to every link, so that no cookies are required to use the site.

A sample URL as visible on the browser?s address bar:
http://webtest/human_resources.phtml?SESSIONID=cca7f03abde2c33077df25999850d6dc

Now if I change the SESSIONID parameter to something really stupid PHP simply creates a file with exactly that name regardless if a session with that SESSIONID has never been created before by session_start():

http://webtest/human_resources.phtml?SESSIONID=stupidsessionid

creates the file "sessstupidsessionid" in the session directory.

Why?
This way someone could fill up the whole directory!

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports

[2000-10-05 19:28 UTC] kimmel at tricos dot com

JFYI: I'm using IIS/PWS (SP5) with the PHP CGI version.

[2000-10-05 20:20 UTC] kimmel at tricos dot com

JFYI: I'm using IIS/PWS (SP5) with the PHP CGI version.

[2000-10-16 14:18 UTC] sas@php.net

That is comparable to having many visitors to your site.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Thu Apr 18 22:01:28 2024 UTC