Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit bf46a8d

Browse filesBrowse files
nicolas-grekasnicolas-grekas
committed
bug #46790 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters (BrokenSourceCode)
This PR was squashed before being merged into the 4.4 branch. Discussion ---------- [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters | Q | A | ------------- | --- | Branch? |4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #46777 | License | MIT This PR is intended to improve the changes made in the PR #46249 that doesn't check the max length of the session ID. To do this, I used the PHP ini directives below: - [`session.sid_length`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length) (must be an integer between `22` and `256`) - [`session.sid_bits_per_character`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-bits-per-character) (must be an integer such as `4`, `5` or `6`) Commits ------- 8487950 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters
2 parents a2fbf66 + 8487950 commit bf46a8d
Copy full SHA for bf46a8d

File tree

2 files changed

+3
-3
lines changed
Filter options

2 files changed

+3
-3
lines changed

‎src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
+1-1Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -153,7 +153,7 @@ public function start()
153153
}
154154

155155
$sessionId = $_COOKIE[session_name()] ?? null;
156-
if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
156+
if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,250}$/', $sessionId)) {
157157
// the session ID in the header is invalid, create a new one
158158
session_id(session_create_id());
159159
}

‎src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php

Copy file name to clipboardExpand all lines: src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php
+2-2Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -302,7 +302,7 @@ public function testRegenerateInvalidSessionIdForNativeFileSessionHandler()
302302
$started = $storage->start();
303303

304304
$this->assertTrue($started);
305-
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
305+
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,250}$/', session_id());
306306
$storage->save();
307307

308308
$_COOKIE[session_name()] = '&~[';
@@ -311,7 +311,7 @@ public function testRegenerateInvalidSessionIdForNativeFileSessionHandler()
311311
$started = $storage->start();
312312

313313
$this->assertTrue($started);
314-
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
314+
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,250}$/', session_id());
315315
$storage->save();
316316

317317
$_COOKIE[session_name()] = '&~[';

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.