|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #73529 session_decode() silently fails on wrong input
Submitted: 2016-11-15 14:55 UTC Modified: 2016-11-27 01:26 UTC
Avg. Score:3.5 ± 0.5
Reproduced:0 of 0 (0.0%)
From: love at sickpeople dot se Assigned: yohgaki (profile)
Status: Closed Package: Session related
PHP Version: 7.1.0RC6 OS:
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: love at sickpeople dot se
New email:
PHP Version: OS:


 [2016-11-15 14:55 UTC] love at sickpeople dot se
The session_decode() returns true on most invalid values. Eg NULL, ints, strings in wrong format and empty strings.

The docs state "Returns TRUE on success or FALSE on failure." and invalid input should be considered an error.


An important aspect of this is passing data serialized with another method than the current "session.serialize_handler". These should be considered an error as well. I think this is implied by the docs:

  "By default, the unserialization method used is internal to PHP, and is not the same as unserialize(). The serialization method can be set using session.serialize_handler."

The following two test scripts shows that setting A as serialize handler and passing input serialized with B leads to a silent error. The $_SESSION is not populated but true is returned.


/* Test 1 */

$data = array ('foo' => 'bar');

ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode (serialize ($data)));

var_dump ($_SESSION);

/* Test 2 */

ini_set ('session.serialize_handler', 'php_serialize');

session_start ();

var_dump (session_decode ('foo|s:3:"bar";'));

var_dump ($_SESSION);

Test script:
ini_set ('session.serialize_handler', 'php');

session_start ();

var_dump (session_decode ("foo"));

Expected result:
session_decode() to return false.

Actual result:
session_decode() returns true.


Add a Patch

Pull Requests

Pull requests:

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2016-11-27 01:26 UTC]
-Assigned To: +Assigned To: yohgaki
 [2020-06-10 10:05 UTC]
The following pull request has been associated:

Patch Name: Fix #73529: session_decode() silently fails on wrong input
On GitHub:
 [2020-06-10 14:48 UTC]
Automatic comment on behalf of
Log: Fix #73529: session_decode() silently fails on wrong input
 [2020-06-10 14:48 UTC]
-Status: Assigned +Status: Closed
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sat Jan 23 02:01:25 2021 UTC