#42750 [Opn]: if session_name contains a dot, a new session is started every request

Tue, 25 Sep 2007 07:44:33 -0700 

 ID:               42750
 Updated by:       [EMAIL PROTECTED]
 Reported By:      dominik dot dorn at gmail dot com
 Status:           Open
 Bug Type:         Session related
 Operating System: Gentoo Linux
 PHP Version:      5.2.4
 New Comment:

Note: register_globals is still there, it's just not enabled by default
so we still have to take this dot-issue into count.


Previous Comments:
------------------------------------------------------------------------

[2007-09-25 12:08:46] dominik dot dorn at gmail dot com

well then it should not even set the cookie with the dot in it,
shouldn't it? 

Could it be, that the "only alphanumeric" thing is a relict from the
register_globals=on time? 

Even if the manual says, the session_id should only contain
alphanumeric characters, it does not say that it has to. 

I think there is a just a simple bug in the method, which reads the
session cookie back in, because setting the cookie works. 

thanks for your help

------------------------------------------------------------------------

[2007-09-25 09:58:55] [EMAIL PROTECTED]

>From the manual: "It should contain only alphanumeric characters".
This propably should have some sort of check for invalid chars used in
the name.

------------------------------------------------------------------------

[2007-09-25 09:16:47] [EMAIL PROTECTED]

It's propably the fact that PHP changes dots in incoming data into _
but I need to investigate a bit.

------------------------------------------------------------------------

[2007-09-24 22:28:48] dominik dot dorn at gmail dot com

Description:
------------
i was trying to fool a little around and tried to set the
session_name to "MYSITE.NET_SessionID'.

PHP sets a cookie with the name ASP.NET_SessionID
but seems not to read it at the next page request.



Reproduce code:
---------------
I tried this with the session_name("ASP.NET_SessionID"); function
and with setting it thru php.ini
session.name = MYSITE.NET_SessionID

i even tried to surround the text with quotes in php.ini like
session.name = "MYSITE.NET_SessionID"
or
session.name = 'MYSITE.NET_SessionID"

Expected result:
----------------
php reads the session id from the cookie names "MYSITE.NET_SessionID'
and then reads the sessiondata with the specified sessionhash





------------------------------------------------------------------------


-- 
Edit this bug report at http://bugs.php.net/?id=42750&edit=1

Reply via email to