Hello, first I'm inquiring about this:
http://bugs.php.net/bug.php?id=23681
Currently (in 5.0.3 at least), if someone makes a request with invalid
session id characters, Warnings are output:
PHP Warning: session_start(): The session id contains illegal characters,
valid characters are a-z, A-Z, 0-9 and '-,' in script.php on line 24
PHP Warning: Unknown: The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
PHP Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct (/session/path)
in Unknown on line 0
Now, as far as I can tell, you can't check the session id until you call
session_start(), which unfortunately spits out a warning, so I end up with
code something like this:
if(isset($_REQUEST['PHPSESSID']) && !preg_match('/^[-,0-9a-z]*$/i',
$_REQUEST['PHPSESSID']))
{
@session_start();
session_regenerate_id();
}
else
{
session_start();
}
has this always been true or is it a bug? This old article on zend.com
seems to imply that this hasn't always been the case:
http://www.zend.com/zend/spotlight/sessionauth7may.php
"If no session ID was provided, or the session ID provided was invalid,
PHP creates a new ID that it then passes on to the browser (in either
cookie form or by GET method). Through this mechanism, PHP ensures that in
the event no valid session ID is given (as either a cookie or GET
parameter to PHP when the page is requested), it is assigned one for
future requests."
So, can the error be downgraded to a Notice or can some other fix be applied?
Secondly, the documentation is a bit confusing....
1. While the manual states "For example, the file session handler only
allows characters in the range a-z, A-Z and 0-9!", the source code and the
error message show that "-" and "," are allowed as well.
2. While one manual page states, "you can use the constant SID which is
always defined. If the client did not send an appropriate session cookie,
it has the form session_name=session_id. Otherwise, it expands to an empty
string." Another manual page states "Note that SID is only defined if the
client didn't send the right cookie."
>From what I can tell, before session_start() is called SID evaluates to
the string "SID" (implying it is not defined), and after session_start()
is called it will be either session_name=session_id or an empty string.
Thanks.
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
