ID: 48136 Updated by: [email protected] Reported By: dont dot want at spam dot no -Status: Open +Status: Bogus Bug Type: Session related Operating System: Win XP SP2 PHP Version: 5.2.9 New Comment:
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://www.php.net/manual/ and the instructions on how to report a bug at http://bugs.php.net/how-to-report.php . Previous Comments: ------------------------------------------------------------------------ [2009-05-03 14:26:14] dont dot want at spam dot no Description: ------------ If session cookie is an empty string, PHP gives the following warning: "Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'". Worst case scenario: If the user sets the session id to an empty string manually in their browser and php errors are displayed, the page will break (could not start session, headers already sent by warning message, etc.). Normal scenario: display_errors is disabled, so this will only clutter the error log with an unnecessary warning. In my case I have session.use_only_cookies enabled and I work around the issue with the following code: <?php if (isset($_COOKIE[session_name()]) && $_COOKIE[session_name()] === '') { # PHP will throw a warning if session cookie is an empty string # workaround: delete cookie if set to empty string setcookie(session_name(), '', time()-42000, '/'); unset($_COOKIE[session_name()]); } ?> Reproduce code: --------------- I used jQuery with a cookie addon to set the cookie to an empty string (was actually trying to delete the cookie), but the same could be simulated with the following 2 lines of PHP: <?php $_COOKIE[session_name()] = ''; session_start(); ?> You also get the same using GET (eg. "localhost/index.php?PHPSESSID=", remember to delete any old cookies before trying this or it won't work) <?php session_start(); ?> Expected result: ---------------- No warning since session ID is empty and PHP should be smart enough to realise that this means that the session id has not been generated yet. Actual result: -------------- Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in F:\htdocs\index.php on line 9 ------------------------------------------------------------------------ -- Edit this bug report at http://bugs.php.net/?id=48136&edit=1
