Hi all.
On our server we infrequently get a warning when session_start() is called. The message says "The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'"
But print_r($_SERVER) in those cases contains only "PHPSESSID" - so the session cookie has no value. In my opinion the warning message is a bit irritating, or does it have a deeper meaning?
Best regards
Christian
But print_r($_SERVER) in those cases contains only "PHPSESSID"
Of course it is $_SERVER['HTTP_COOKIE'] which only contains "PHPSESSID" ;-)
Hi Christian,
On Tue, Feb 11, 2014 at 4:31 PM, Christian Stoller stoller@leonex.dewrote:
On our server we infrequently get a warning when
session_start()is
called. The message says "The session id is too long or contains illegal
characters, valid characters are a-z, A-Z, 0-9 and '-,'"But print_r($_SERVER) in those cases contains only "PHPSESSID" - so the
session cookie has no value. In my opinion the warning message is a bit
irritating, or does it have a deeper meaning?
What is the reason for having extremely insecure session ID?
Is user sending empty cookie by deleting cookie value?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net
What is the reason for having extremely insecure session ID?
Is user sending empty cookie by deleting cookie value?Regards,
Hi Yasuo,
the resource, which has been called, is a dynamic generated playlist file (.M3U) and it seemed like the user agent was a Windows Media Player, because of the passed HTTP headers. But I have no clue why the empty cookie has been sent.
I have extended the application, so that the cookie value is checked and the session won't be started if it is empty.
But maybe there is someone who could improve the warning message a bit. In this case it could say "The session id is empty or too short."
Best regards
Hi Christian,
On Wed, Feb 12, 2014 at 4:25 PM, Christian Stoller stoller@leonex.dewrote:
What is the reason for having extremely insecure session ID?
Is user sending empty cookie by deleting cookie value?Regards,
Hi Yasuo,
the resource, which has been called, is a dynamic generated playlist file
(.M3U) and it seemed like the user agent was a Windows Media Player,
because of the passed HTTP headers. But I have no clue why the empty cookie
has been sent.I have extended the application, so that the cookie value is checked and
the session won't be started if it is empty.But maybe there is someone who could improve the warning message a bit. In
this case it could say "The session id is empty or too short."
I cannot prevent clients from sending empty(invalid) session id cookie, but
I can
make session module try to regenerate session ID silently when invalid
session is
sent regardless of use_strict_mode.
The error message may be too much as clients can send any session ID cookie.
Issue is that current code does not distinguish whether the invalid session
ID is
set by programmer or client.
I'm not sure what is the best approach.
Does anyone have idea?
Regards,
--
Yasuo Ohgaki
yohgaki@ohgaki.net