php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Return to Bug #68063
Patch bug68063.patch revision 2016-01-12 22:28 UTC by yohgaki@php.net

Patch bug68063.patch for Session related Bug #68063

Patch version 2016-01-12 22:28 UTC

Return to Bug #68063 | Download this patch
Patch Revisions:

Developer: yohgaki@php.net

diff --git a/ext/session/session.c b/ext/session/session.c
index f5439ea..fe16525 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -485,7 +485,10 @@ static void php_session_initialize(TSRMLS_D) /* {{{ */
 	}
 
 	/* If there is no ID, use session module to create one */
-	if (!PS(id)) {
+	if (!PS(id) || !PS(id)[0]) {
+		if (PS(id)) {
+			efree(PS(id));
+		}
 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
 		if (!PS(id)) {
 			php_error_docref(NULL TSRMLS_CC, E_ERROR, "Failed to create session ID: %s (path: %s)", PS(mod)->s_name, PS(save_path));
@@ -2065,10 +2068,6 @@ static PHP_FUNCTION(session_decode)
 static PHP_FUNCTION(session_start)
 {
 	/* skipping check for non-zero args for performance reasons here ?*/
-	if (PS(id) && !strlen(PS(id))) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID");
-		RETURN_FALSE;
-	}
 
 	php_session_start(TSRMLS_C);
 
diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt
index d3da470..e6a5b09 100644
--- a/ext/session/tests/bug68063.phpt
+++ b/ext/session/tests/bug68063.phpt
@@ -5,16 +5,17 @@ Bug #68063 (Empty session IDs do still start sessions)
 --INI--
 --FILE--
 <?php
+// Empty session ID may happen by browser bugs
+
 // Could also be set with a cookie like "PHPSESSID=; path=/"
 session_id('');
 
-// Will still start the session and return true
+// Start the session with empty string should result in new session ID
 var_dump(session_start());
 
-// Returns an empty string
+// Returns newly created session ID
 var_dump(session_id());
 ?>
 --EXPECTF--
-Warning: session_start(): Cannot start session with empty session ID in %s on line %d
-bool(false)
-string(0) ""
+bool(true)
+string(%d) "%s"
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Mon Sep 23 11:01:27 2019 UTC