Recently our company started scanning a new ZF based site we just
launched. It's some sort of security scanner that checks for things
like sql injection, XSS, etc. Anyway, it presented a problem with
sessions that I've never encountered before. This scanner, for whatever
reason, resets all cookie values to some weird uri. So now, instead of
the session cookie looking like: e3200af3b875e6c78e916e49c6acc315 it looks like: http://example.com/some.html The uri obviously has characters like ':' and '/', which are of course illegal characters for a session id. The problem? First of all, this throws a Zend_Session_Exception, example: [21-Aug-2007 15:05:50] PHP Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'Zend_Session::start() - session_start(): The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'' in /z/applib/lib/Zend/Session.php:379 Stack trace: #0 /z/applib/app/bootstrap.php(72): Zend_Session::start() #1 /z/www/obscurity_network/app/networkbootstrap.php(53): require('/z/applib/app/b...') #2 /z/www/obscurity.obscurity.com/index.php(9): require('/z/www/obscurity_net...') #3 {main} thrown in /z/applib/lib/Zend/Session.php on line 379 Secondly though, the reason this happens in the first place, php actually throws a warning when a session id contains illegal characters. Example: Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /obscurity.php on line 88 What do you guys think? In my opinion, the session extension should gracefully handle this without a warning. Then again, cookies can be considered user input, therefore should be filtered ... I dunno. At the very least, something should be added to the Zend_Session start() method to check the session id before session_start() is called. At most, a bug report should be filed at php.net to change the behavior of the warning. I'm willing to help however I can, but wanted some opinions first. (BTW, running php 5.2.2) Regards, Tony |