Edit report at https://bugs.php.net/bug.php?id=64344&edit=1
ID: 64344 User updated by: nick at noodles dot net dot nz Reported by: nick at noodles dot net dot nz Summary: Option to suppress illegal session id warnings Status: Open Type: Feature/Change Request Package: Session related Operating System: All PHP Version: 5.4.12 Block user comment: N Private report: N New Comment: @session_start would suppress all errors/warnings. There might be an instance where my session store (memcache) may not be working correctly or may be inaccessible and I wouldn't want to stop those messages. Previous Comments: ------------------------------------------------------------------------ [2013-03-04 02:42:36] larue...@php.net why not @session_start ------------------------------------------------------------------------ [2013-03-04 01:34:58] nick at noodles dot net dot nz Description: ------------ We have a few users a day trying to inject things into their PHPSESSID cookie for some reason. When they request a page on our site with session_start() PHP generates a warning "session_start(): The session id is too long or contains illegal characters". This is a redundant message as PHP recovers and resets the PHPSESSID to a legal one. It would be great to see a session.warn_illegal_id (or similar) option to suppress these warnings. Test script: --------------- Set cookie PHPSESSID to 1747d33a3556d5bf141706eb271bf972,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,OAID=43014df373346fd1eff98e7c7d3dcfc4,JSESSIONID=20AB177A036A09CB0B9D58D19589529C,ASPSESSIONIDASBCCDAQ=MNEJOAJBPCMLMPEDCMFCKGKL,JSESSIONID=UZBDOYZSUXNZCCUUCAZSFFA Request a page with session_start(); Expected result: ---------------- I expect session_start() to fail quietly and regenerate the PHPSESSID to a valid value. Actual result: -------------- Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=64344&edit=1
