|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #9170 session_start() session_resume() session_create()
Submitted: 2001-02-08 04:23 UTC Modified: 2002-01-28 19:58 UTC
From: sivasubraj at lycosmail dot com Assigned:
Status: Not a bug Package: Feature/Change Request
PHP Version: 4.0.4pl1 OS: linux
Private report: No CVE-ID: None
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If this is not your bug, you can add a comment by following this link.
If this is your bug, but you forgot your password, you can retrieve your password here.
Bug Type:
From: sivasubraj at lycosmail dot com
New email:
PHP Version: OS:


 [2001-02-08 04:23 UTC] sivasubraj at lycosmail dot com
WARNING: possible exploitation
When a client requests a PHPSESSID that doesn't exists on the server, session_start() creates one with the same SID. In this manner the client could write a SID of his choice, even a long one or a dangerous one. Or more commonly, an HTTP cache somewhere could send a previously used phpsessid but that was closed. 
If session_start() creates a (previously closed) phpsession with the same sid specified by the client, some ugly effects could happen. 

Please make a new function, session_resume() that tries to resume phpsession, but never to create new one. Viceversa, session_create() should be able only to create.

session_resume($sid) : return TRUE when the specified session exists and thus is correctly resumed, FALSE otherwise.
session_create($sid) : retun TRUE when a non-existent session is correctly created, FALSE otherwise

In this manner I could code in this manner: 

if (isset($HTTP_GET_VARS['session_id'])) {
         $sid = $HTTP_GET_VARS['session_id'])

} else if (isset($HTTP_POST_VARS['session_id'])) {
         $sid = $HTTP_POST_VARS['session_id'])

} else if (isset($HTTP_COOKIE_VARS['session_id'])) {
         $sid = $HTTP_COOKIE_VARS['session_id'])


if (isset($sid)) {          // the client requests to resume a session
         $ok = session_resume( $sid );
         if (!$ok) { 
	  session_create(); // with a NEW random sid

} else {


Alternatively, it would be nice if there is a new function, say session_nstart that resumes existent phpsession returning "resumed", otherwise creates a new session  *with a different sid*, returning "new".

It is very important for me, thanks!
regards, siva


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2002-01-28 19:58 UTC]
I made this bogus, please ask why in php-general.
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Fri Jul 19 10:01:29 2024 UTC