Skip to content

[HttpFoundation] PHP Warning: SessionHandler::read(): Session ID is too long or contains illegal characters. #46777

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Rezyan opened this issue Jun 25, 2022 · 2 comments
Closed

[HttpFoundation] PHP Warning: SessionHandler::read(): Session ID is too long or contains illegal characters. #46777

Rezyan opened this issue Jun 25, 2022 · 2 comments
Labels
Bug HttpFoundation Status: Needs Review

Comments

@Rezyan
Copy link
Contributor

Rezyan commented Jun 25, 2022
edited
Loading

Symfony version(s) affected

6.1.0

Description

Hi,

When I cheat on the front-end and manually change the session cookie length with the dev console, this emits a warning on the back-end:

[25-Jun-2022 20:54:15 UTC] PHP Warning:  SessionHandler::read(): Session ID is too long or contains illegal characters. Only the A-Z, a-z, 0-9, "-", and "," characters are allowed in C:\app\vendor\symfony\http-foundation\Session\Storage\Handler\StrictSessionHandler.php on line 45

Therefore, malicious users can generate warning messages.

How to reproduce

You just need to manually change the session cookie in the front-end and put more than 256 characters.

Possible Solution

I guess that the regular expression on this line should check the max length too:

symfony/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php

Line 139 in 6597825

if ($sessionId && $this->saveHandler instanceof AbstractProxy && 'files' === $this->saveHandler->getSaveHandlerName() && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {

Maybe like this: '/^[a-zA-Z0-9,-]{22,256}$/'. According to the PHP doc :

session.sid_length int
session.sid_length allows you to specify the length of session ID string. Session ID length can be between 22 to 256. The default is 32. If you need compatibility you may specify 32, 40, etc. Longer session ID is harder to guess. At least 32 chars are recommended.

Additional Context

Related PR: #46249.

No response
@Rezyan Rezyan added the Bug label Jun 25, 2022
@Rezyan Rezyan changed the title [Session] PHP Warning: SessionHandler::read(): Session ID is too long or contains illegal characters. [HttpFoundation] PHP Warning: SessionHandler::read(): Session ID is too long or contains illegal characters. Jun 26, 2022
@xabbuh
Copy link
Member

xabbuh commented Jun 27, 2022

Would you like to send a PR with your suggested solution?

@Rezyan Rezyan mentioned this issue Jun 27, 2022
Merged
@Rezyan
Copy link
Contributor Author

Rezyan commented Jun 27, 2022

Would you like to send a PR with your suggested solution?

@xabbuh Done #46790

nicolas-grekas added a commit that referenced this issue Jun 30, 2022
@nicolas-grekas
bug #46790 [HttpFoundation] Prevent PHP Warning: Session ID is too lo…
bf46a8d 
…ng or contains illegal characters (BrokenSourceCode)

This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters

| Q             | A
| ------------- | ---
| Branch?       |4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #46777
| License       | MIT

This PR is intended to improve the changes made in the PR #46249 that doesn't check the max length of the session ID.

To do this, I used the PHP ini directives below:
- [`session.sid_length`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-length) (must be an integer between `22` and `256`)
- [`session.sid_bits_per_character`](https://www.php.net/manual/en/session.configuration.php#ini.session.sid-bits-per-character) (must be an integer such as `4`, `5` or `6`)

Commits
-------

8487950 [HttpFoundation] Prevent PHP Warning: Session ID is too long or contains illegal characters
@Rezyan Rezyan mentioned this issue Jul 1, 2022
Merged
fabpot added a commit that referenced this issue Jul 8, 2022
@fabpot
minor #46825 [HttpFoundation] Add session ID regex comment (BrokenSou…
99f2ecc 
…rceCode)

This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[HttpFoundation] Add session ID regex comment

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| License       | MIT

A comment intended to explain the session ID regular expression.

Related links:
- #46777
- #46790

Commits
-------

4908090 [HttpFoundation] Add session ID regex comment
symfony-splitter pushed a commit to symfony/http-foundation that referenced this issue Jul 8, 2022
@fabpot
minor #46825 [HttpFoundation] Add session ID regex comment (BrokenSou…
3c731fd 
…rceCode)

This PR was squashed before being merged into the 4.4 branch.

Discussion
----------

[HttpFoundation] Add session ID regex comment

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| License       | MIT

A comment intended to explain the session ID regular expression.

Related links:
- symfony/symfony#46777
- symfony/symfony#46790

Commits
-------

49080903d2 [HttpFoundation] Add session ID regex comment
@Rezyan Rezyan mentioned this issue Jul 30, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@nicolas-grekas @xabbuh @carsonbot @Rezyan