[fw-general] Zend_Session - problem with illegal session ids, might be a larger general php issue

Thu, 23 Aug 2007 11:11:19 -0700

Recently our company started scanning a new ZF based site we just launched. It's some sort of security scanner that checks for things like sql injection, XSS, etc. Anyway, it presented a problem with sessions that I've never encountered before. This scanner, for whatever reason, resets all cookie values to some weird uri. So now, instead of the session cookie looking like:

e3200af3b875e6c78e916e49c6acc315

it looks like:

http://example.com/some.html

The uri obviously has characters like ':' and '/', which are of course illegal characters for a session id. The problem? First of all, this throws a Zend_Session_Exception, example:

[21-Aug-2007 15:05:50] PHP Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'Zend_Session::start() - session_start(): The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'' in /z/applib/lib/Zend/Session.php:379
Stack trace:
#0 /z/applib/app/bootstrap.php(72): Zend_Session::start()
#1 /z/www/obscurity_network/app/networkbootstrap.php(53): require('/z/applib/app/b...')
#2 /z/www/obscurity.obscurity.com/index.php(9): require('/z/www/obscurity_net...')
#3 {main}
thrown in /z/applib/lib/Zend/Session.php on line 379

Secondly though, the reason this happens in the first place, php actually throws a warning when a session id contains illegal characters. Example:

Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /obscurity.php on line 88

What do you guys think? In my opinion, the session extension should gracefully handle this without a warning. Then again, cookies can be considered user input, therefore should be filtered ... I dunno. At the very least, something should be added to the Zend_Session start() method to check the session id before session_start() is called. At most, a bug report should be filed at php.net to change the behavior of the warning.

I'm willing to help however I can, but wanted some opinions first. (BTW, running php 5.2.2)

Regards,
Tony


Reply via email to