Edit report at https://bugs.php.net/bug.php?id=40470&edit=1
ID: 40470 Updated by: yohg...@php.net Reported by: ceo at l-i-e dot com Summary: Invalid session id should specify actual ID -Status: Assigned +Status: Wont fix Type: Feature/Change Request Package: Session related Operating System: * PHP Version: 5.2.1 Assigned To: yohgaki Block user comment: N Private report: N New Comment: Writing user inputs to log can be cause of security issues. Invalid session ID chars is obvious attack and you should take countermeasure rather than logging it. Are you using session autostart? If so, I would suggest start session manually, register your own error handler that logs IP address when error occurred *before* starting session. Previous Comments: ------------------------------------------------------------------------ [2007-02-14 00:07:33] ceo at l-i-e dot com Description: ------------ A message such as this: [04-Dec-2006 18:21:56] PHP Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0 should be improved to specify the actual invalid ID. A busy site with many sessions will need that info to trace down the bug quickly. Expected result: ---------------- Something like this: [04-Dec-2006 18:21:56] PHP Warning: Unknown: The session id '$#!^' contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0 ------------------------------------------------------------------------ -- Edit this bug report at https://bugs.php.net/bug.php?id=40470&edit=1
