From: dont dot want at spam dot no
Operating system: Win XP SP2
PHP version: 5.2.9
PHP Bug Type: Session related
Bug description: session id = empty string produces warning
Description:
------------
If session cookie is an empty string, PHP gives the following warning:
"Warning: session_start() [function.session-start]: The session id
contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'".
Worst case scenario: If the user sets the session id to an empty string
manually in their browser and php errors are displayed, the page will break
(could not start session, headers already sent by warning message, etc.).
Normal scenario: display_errors is disabled, so this will only clutter the
error log with an unnecessary warning.
In my case I have session.use_only_cookies enabled and I work around the
issue with the following code:
<?php
if (isset($_COOKIE[session_name()]) && $_COOKIE[session_name()] === '')
{
# PHP will throw a warning if session cookie is an empty string
# workaround: delete cookie if set to empty string
setcookie(session_name(), '', time()-42000, '/');
unset($_COOKIE[session_name()]);
}
?>
Reproduce code:
---------------
I used jQuery with a cookie addon to set the cookie to an empty string
(was actually trying to delete the cookie), but the same could be simulated
with the following 2 lines of PHP:
<?php
$_COOKIE[session_name()] = '';
session_start();
?>
You also get the same using GET (eg. "localhost/index.php?PHPSESSID=",
remember to delete any old cookies before trying this or it won't work)
<?php
session_start();
?>
Expected result:
----------------
No warning since session ID is empty and PHP should be smart enough to
realise that this means that the session id has not been generated yet.
Actual result:
--------------
Warning: session_start() [function.session-start]: The session id contains
illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
F:\htdocs\index.php on line 9
--
Edit bug report at http://bugs.php.net/?id=48136&edit=1
--
Try a CVS snapshot (PHP 5.2):
http://bugs.php.net/fix.php?id=48136&r=trysnapshot52
Try a CVS snapshot (PHP 5.3):
http://bugs.php.net/fix.php?id=48136&r=trysnapshot53
Try a CVS snapshot (PHP 6.0):
http://bugs.php.net/fix.php?id=48136&r=trysnapshot60
Fixed in CVS:
http://bugs.php.net/fix.php?id=48136&r=fixedcvs
Fixed in CVS and need be documented:
http://bugs.php.net/fix.php?id=48136&r=needdocs
Fixed in release:
http://bugs.php.net/fix.php?id=48136&r=alreadyfixed
Need backtrace:
http://bugs.php.net/fix.php?id=48136&r=needtrace
Need Reproduce Script:
http://bugs.php.net/fix.php?id=48136&r=needscript
Try newer version:
http://bugs.php.net/fix.php?id=48136&r=oldversion
Not developer issue:
http://bugs.php.net/fix.php?id=48136&r=support
Expected behavior:
http://bugs.php.net/fix.php?id=48136&r=notwrong
Not enough info:
http://bugs.php.net/fix.php?id=48136&r=notenoughinfo
Submitted twice:
http://bugs.php.net/fix.php?id=48136&r=submittedtwice
register_globals:
http://bugs.php.net/fix.php?id=48136&r=globals
PHP 4 support discontinued: http://bugs.php.net/fix.php?id=48136&r=php4
Daylight Savings: http://bugs.php.net/fix.php?id=48136&r=dst
IIS Stability:
http://bugs.php.net/fix.php?id=48136&r=isapi
Install GNU Sed:
http://bugs.php.net/fix.php?id=48136&r=gnused
Floating point limitations:
http://bugs.php.net/fix.php?id=48136&r=float
No Zend Extensions:
http://bugs.php.net/fix.php?id=48136&r=nozend
MySQL Configuration Error:
http://bugs.php.net/fix.php?id=48136&r=mysqlcfg
