php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #71243 session_start() returns true, even for invalid session ids
Submitted: 2015-12-30 10:14 UTC Modified: 2016-01-12 21:52 UTC
Votes:1
Avg. Score:3.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: maggus dot staab at googlemail dot com Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: Irrelevant OS: Ubuntu12 lts
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
25 + 2 = ?
Subscribe to this entry?

 
 [2015-12-30 10:14 UTC] maggus dot staab at googlemail dot com
Description:
------------
session_start() returns true, even if the configured session_id() is invalid.

This is similar to https://bugs.php.net/bug.php?id=65795 but I guess the cause is different.

Test script:
---------------
https://3v4l.org/HXRoR

session_id('öäü');
var_dump(session_start());

Expected result:
----------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(false)

Actual result:
--------------
Warning: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /in/HXRoR on line 4
bool(true)

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-12-30 13:05 UTC] laruence@php.net
-Assigned To: +Assigned To: yohgaki
 [2015-12-31 00:32 UTC] yohgaki@php.net
-Status: Assigned +Status: Analyzed
 [2015-12-31 00:32 UTC] yohgaki@php.net
@maggus Thank you for the report.
The cause is different. The cause is 

static void ps_files_open(ps_files *data, const char *key TSRMLS_DC)

is not returning status properly.

Many session internal functions were written w/o return values originally. It's time for cleanup to fix these issues. Some of them will be only for PHP 7.1 as PHPAPI needs changes.
 [2015-12-31 00:56 UTC] yohgaki@php.net
I have to change this function's signature

PHPAPI void php_session_start(TSRMLS_D)

Fix will be only for 7.1 and later.
 [2015-12-31 01:18 UTC] yohgaki@php.net
I have to kill broken save handler implementations also. i.e. BC

static void php_session_initialize(TSRMLS_D
**SNIP**
	if (PS(mod)->s_read(&PS(mod_data), PS(id), &val, &vallen TSRMLS_CC) == FAILURE) {
		/* Some broken save handler implementation returns FAILURE for non-existent session ID */
		/* It's better to raise error for this, but disabled error for better compatibility */
		/*
		php_error_docref(NULL TSRMLS_CC, E_NOTICE, "Failed to read session data: %s (path: %s)", PS(mod)->s_name, PS(save_path));
		*/
	}
 [2016-01-12 21:51 UTC] yohgaki@php.net
Bug #71122 is fixed and this bug is also fixed on PHP 7.0 and later.
 [2016-01-12 21:52 UTC] yohgaki@php.net
-Status: Analyzed +Status: Closed
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Mar 28 09:01:26 2024 UTC