From:             [EMAIL PROTECTED]
Operating system: linux
PHP version:      4.0.4pl1
PHP Bug Type:     Feature/Change Request
Bug description:  session_start()  session_resume()  session_create()

WARNING: possible exploitation
When a client requests a PHPSESSID that doesn't exists on the server, session_start() 
creates one with the same SID. In this manner the client could write a SID of his 
choice, even a long one or a dangerous one. Or more commonly, an HTTP cache somewhere 
could send a previously used phpsessid but that was closed. 
If session_start() creates a (previously closed) phpsession with the same sid 
specified by the client, some ugly effects could happen. 

Please make a new function, session_resume() that tries to resume phpsession, but 
never to create new one. Viceversa, session_create() should be able only to create.

session_resume($sid) : return TRUE when the specified session exists and thus is 
correctly resumed, FALSE otherwise.
session_create($sid) : retun TRUE when a non-existent session is correctly created, 
FALSE otherwise

In this manner I could code in this manner: 

if (isset($HTTP_GET_VARS['session_id'])) {
         $sid = $HTTP_GET_VARS['session_id'])

} else if (isset($HTTP_POST_VARS['session_id'])) {
         $sid = $HTTP_POST_VARS['session_id'])

} else if (isset($HTTP_COOKIE_VARS['session_id'])) {
         $sid = $HTTP_COOKIE_VARS['session_id'])


if (isset($sid)) {          // the client requests to resume a session
         $ok = session_resume( $sid );
         if (!$ok) { 
          session_create(); // with a NEW random sid

} else {


Alternatively, it would be nice if there is a new function, say session_nstart that 
resumes existent phpsession returning "resumed", otherwise creates a new session  
*with a different sid*, returning "new".

It is very important for me, thanks!
regards, siva

Edit Bug report at:

PHP Development Mailing List <>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]

Reply via email to