ID: 38224
Updated by: [EMAIL PROTECTED]
Reported By: toni at schornboeck dot net
-Status: Open
+Status: Assigned
Bug Type: Session related
Operating System: windows
PHP Version: 5.1.4
-Assigned To:
+Assigned To: iliaa
Previous Comments:
------------------------------------------------------------------------
[2006-07-26 15:34:27] toni at schornboeck dot net
Description:
------------
session_start() can't handle broken cookies at all.
When a cookie with the name of the session exists, even if it's
malformed, for example containing invalid characters, session_start
just assumes it is a correct session id - and fails horribly when
trying to save data in a file with that "id".
Reproduce code:
---------------
<?php
ob_start();
//setcookie('session_cookie', gzcompress('ä#+´!')); //just call once
session_name('session_cookie');
session_start();
echo 'test = ',$_SESSION['test'];
$_SESSION['test']='foo';
ob_end_flush();
?>
Expected result:
----------------
Either session_start() should return false or it needs to overwrite the
cookie.
Nevertheless this code shouldn't produce any errors and save the
session variable test correctly.
Output:
test = foo
Actual result:
--------------
Warning: session_start() [function.session-start]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and
'-,' in C:\xampp\xampp\htdocs\yawe\bug.php on line 6
test =
Warning: Unknown: The session id contains illegal characters, valid
characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0
Warning: Unknown: Failed to write session data (files). Please verify
that the current setting of session.save_path is correct
(C:\xampp\xampp\tmp) in Unknown on line 0
and session_start sets the cookie with the same corrupted "session id"
again...
------------------------------------------------------------------------
--
Edit this bug report at http://bugs.php.net/?id=38224&edit=1
