From: nick at noodles dot net dot nz Operating system: All PHP version: 5.4.12 Package: Session related Bug Type: Feature/Change Request Bug description:Option to suppress illegal session id warnings
Description: ------------ We have a few users a day trying to inject things into their PHPSESSID cookie for some reason. When they request a page on our site with session_start() PHP generates a warning "session_start(): The session id is too long or contains illegal characters". This is a redundant message as PHP recovers and resets the PHPSESSID to a legal one. It would be great to see a session.warn_illegal_id (or similar) option to suppress these warnings. Test script: --------------- Set cookie PHPSESSID to 1747d33a3556d5bf141706eb271bf972,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,JSESSIONID=20AB177A036A09CB0B9D58D19589529C,ASPSESSIONIDASBCCDAQ=MNEJOAJBPCMLMPEDCMFCKGKL,JSESSIONID=UZBDOYZSUXNZCCUUCAZSFFA Request a page with session_start(); Expected result: ---------------- I expect session_start() to fail quietly and regenerate the PHPSESSID to a valid value. Actual result: -------------- Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' -- Edit bug report at https://bugs.php.net/bug.php?id=64344&edit=1 -- Try a snapshot (PHP 5.4): https://bugs.php.net/fix.php?id=64344&r=trysnapshot54 Try a snapshot (PHP 5.3): https://bugs.php.net/fix.php?id=64344&r=trysnapshot53 Try a snapshot (trunk): https://bugs.php.net/fix.php?id=64344&r=trysnapshottrunk Fixed in SVN: https://bugs.php.net/fix.php?id=64344&r=fixed Fixed in release: https://bugs.php.net/fix.php?id=64344&r=alreadyfixed Need backtrace: https://bugs.php.net/fix.php?id=64344&r=needtrace Need Reproduce Script: https://bugs.php.net/fix.php?id=64344&r=needscript Try newer version: https://bugs.php.net/fix.php?id=64344&r=oldversion Not developer issue: https://bugs.php.net/fix.php?id=64344&r=support Expected behavior: https://bugs.php.net/fix.php?id=64344&r=notwrong Not enough info: https://bugs.php.net/fix.php?id=64344&r=notenoughinfo Submitted twice: https://bugs.php.net/fix.php?id=64344&r=submittedtwice register_globals: https://bugs.php.net/fix.php?id=64344&r=globals PHP 4 support discontinued: https://bugs.php.net/fix.php?id=64344&r=php4 Daylight Savings: https://bugs.php.net/fix.php?id=64344&r=dst IIS Stability: https://bugs.php.net/fix.php?id=64344&r=isapi Install GNU Sed: https://bugs.php.net/fix.php?id=64344&r=gnused Floating point limitations: https://bugs.php.net/fix.php?id=64344&r=float No Zend Extensions: https://bugs.php.net/fix.php?id=64344&r=nozend MySQL Configuration Error: https://bugs.php.net/fix.php?id=64344&r=mysqlcfg
