when session_name("123") consist only digits, should warning

Submitted:

2005-12-16 10:39 UTC

Modified:

2013-06-27 10:39 UTC

Votes:	4
Avg. Score:	1.8 ± 1.3
Reproduced:	1 of 1 (100.0%)
Same Version:	1 (100.0%)
Same OS:	0 (0.0%)

From:

samuelkid at citiz dot net

Assigned:

yohgaki (profile)

Status:

Closed

Package:

*General Issues

PHP Version:

5.1.1

OS:

redhat 7.3

Private report:

CVE-ID:

None

[2005-12-16 10:39 UTC] samuelkid at citiz dot net

Description:
------------
as php manual says:
Session name can't consist only from digits, at least one letter must be present. Otherwise new session id is generated every time. 

http://php.liukang.com/manual/en/function.session-name.php

so, when session("123"), it should be warning or something,
but it is not

Reproduce code:
---------------
session_name("123")



Expected result:
----------------
warning:   or something

Actual result:
--------------
actually "123" works fine

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2013-06-27 10:27 UTC] yohgaki@php.net

-Status: Open +Status: Analyzed -Package: Feature/Change Request +Package: *General Issues

[2013-06-27 10:27 UTC] yohgaki@php.net

This is because session name is string, but session id name stored in 
$_COOKIE/$_GET/$_POST has long key.

i.e. Cannot find session id with zend_hash_find() since it is numeric(long) key.

session.name can be check in INI update function.