[2006-07-26 15:34 UTC] toni at schornboeck dot net

Description:
------------
session_start() can't handle broken cookies at all.

When a cookie with the name of the session exists, even if it's malformed, for example containing invalid characters, session_start just assumes it is a correct session id - and fails horribly when trying to save data in a file with that "id".

Reproduce code:
---------------
<?php
ob_start();
//setcookie('session_cookie', gzcompress('?#+?!')); //just call once

session_name('session_cookie');
session_start();
echo 'test = ',$_SESSION['test'];
$_SESSION['test']='foo';

ob_end_flush();

?>

Expected result:
----------------
Either session_start() should return false or it needs to overwrite the cookie.

Nevertheless this code shouldn't produce any errors and save the session variable test correctly.


Output:
test = foo

Actual result:
--------------
Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in C:\xampp\xampp\htdocs\yawe\bug.php on line 6
test = 
Warning: Unknown: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (C:\xampp\xampp\tmp) in Unknown on line 0


and session_start sets the cookie with the same corrupted "session id" again...

 [2006-07-27 14:06 UTC] iliaa@php.net

This bug has been fixed in CVS.

Snapshots of the sources are packaged every three hours; this change
will be in the next snapshot. You can grab the snapshot at
http://snaps.php.net/.
 
Thank you for the report, and for helping us make PHP better.