From: m dot cave-ayland at webbased dot co dot uk Operating system: Linux 2.4 PHP version: 4.3.11 PHP Bug Type: Session related Bug description: Problem parsing cookies
Description: ------------ I have found a problem with using sessions and cookies under PHP 4.3.3, however I have done a brief check using the CVS web interface and I believe the problem may still be present in the latest 4.3.11. A test with PHP 5.0 showed the problem did not exist there. I was using a buggy client that was accidently sending two "Cookie:" strings containing the PHP session ID to the webserver (Apache 2.0.47) during a form POST to upload a file, and found that PHP was erroring out with the error "The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9". The error disappeared when the Cookie line was sent once as expected. Digging into the code shows that cookie values retrieved from the SAPI manager were being separated by a comma, whereas the PHP code was looking for a semi-colon and null as separator values. My fix was to add a comma to the list of separators at the equivalent of line 293 of /main/php_variables.c in PHP 4.3.11, however this is my first look at the PHP source and so there may be a better fix or this may not be correct. Many thanks, Mark. Reproduce code: --------------- Using a raw telnet session to an Apache WebServer running PHP: GET / HTTP/1.0 Host: myhost.somewhere.com Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45 Cookie: PHPSESSID=6664337de02c5bad6c175e0bb3c10a45 Cookie: ANOTHER=randomvalue Expected result: ---------------- No error. Actual result: -------------- session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 -- Edit bug report at http://bugs.php.net/?id=32966&edit=1 -- Try a CVS snapshot (php4): http://bugs.php.net/fix.php?id=32966&r=trysnapshot4 Try a CVS snapshot (php5.0): http://bugs.php.net/fix.php?id=32966&r=trysnapshot50 Try a CVS snapshot (php5.1): http://bugs.php.net/fix.php?id=32966&r=trysnapshot51 Fixed in CVS: http://bugs.php.net/fix.php?id=32966&r=fixedcvs Fixed in release: http://bugs.php.net/fix.php?id=32966&r=alreadyfixed Need backtrace: http://bugs.php.net/fix.php?id=32966&r=needtrace Need Reproduce Script: http://bugs.php.net/fix.php?id=32966&r=needscript Try newer version: http://bugs.php.net/fix.php?id=32966&r=oldversion Not developer issue: http://bugs.php.net/fix.php?id=32966&r=support Expected behavior: http://bugs.php.net/fix.php?id=32966&r=notwrong Not enough info: http://bugs.php.net/fix.php?id=32966&r=notenoughinfo Submitted twice: http://bugs.php.net/fix.php?id=32966&r=submittedtwice register_globals: http://bugs.php.net/fix.php?id=32966&r=globals PHP 3 support discontinued: http://bugs.php.net/fix.php?id=32966&r=php3 Daylight Savings: http://bugs.php.net/fix.php?id=32966&r=dst IIS Stability: http://bugs.php.net/fix.php?id=32966&r=isapi Install GNU Sed: http://bugs.php.net/fix.php?id=32966&r=gnused Floating point limitations: http://bugs.php.net/fix.php?id=32966&r=float No Zend Extensions: http://bugs.php.net/fix.php?id=32966&r=nozend MySQL Configuration Error: http://bugs.php.net/fix.php?id=32966&r=mysqlcfg
