Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit b37fc1e

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #46249 [HttpFoundation] [Session] Regenerate invalid session id (peter17)
This PR was merged into the 4.4 branch. Discussion ---------- [HttpFoundation] [Session] Regenerate invalid session id | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #45755 | License | MIT | Doc PR | no Currently, having a PHPSESSID which does not match `/^[a-zA-Z0-9,\-]{1,123}$/` (see https://www.php.net/manual/fr/function.session-start.php) will produce a php.WARNING and then a RuntimeException (please read #45755). I don't think there is a nice way to handle this so I propose to simply ignore invalid values. With this PR, a value for PHPSESSID that does not match the regex will be ignored and a new session id will be generated. Then, the behavior will be the same as if no session existed, so a new session will be started and a new PHPSESSID will be defined. It looks like Session storage is currently untested so I don't know how to test this... Best regards Commits ------- d8f84c7 [HttpFoundation] [Session] Overwrite invalid session id
2 parents 6a93d11 + d8f84c7 commit b37fc1e
Copy full SHA for b37fc1e

File tree

2 files changed

+15
-0
lines changed
Filter options

2 files changed

+15
-0
lines changed

‎src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
+6Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,12 @@ public function start()
152152
throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
153153
}
154154

155+
$sessionId = $_COOKIE[session_name()] ?? null;
156+
if ($sessionId && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
157+
// the session ID in the header is invalid, create a new one
158+
session_id(session_create_id());
159+
}
160+
155161
// ok to try and start the session
156162
if (!session_start()) {
157163
throw new \RuntimeException('Failed to start the session.');

‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php
+9Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,4 +293,13 @@ public function testGetBagsOnceSessionStartedIsIgnored()
293293

294294
$this->assertEquals($storage->getBag('flashes'), $bag);
295295
}
296+
297+
public function testRegenerateInvalidSessionId()
298+
{
299+
$_COOKIE[session_name()] = '&~[';
300+
$started = (new NativeSessionStorage())->start();
301+
302+
$this->assertTrue($started);
303+
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
304+
}
296305
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.