Symfony version(s) affected

6.1.0

Description

Hi,

When I cheat on the front-end and manually change the session cookie length with the dev console, this emits a warning on the back-end:

[25-Jun-2022 20:54:15 UTC] PHP Warning:  SessionHandler::read(): Session ID is too long or contains illegal characters. Only the A-Z, a-z, 0-9, "-", and "," characters are allowed in C:\app\vendor\symfony\http-foundation\Session\Storage\Handler\StrictSessionHandler.php on line 45

Therefore, malicious users can generate warning messages.

How to reproduce

You just need to manually change the session cookie in the front-end and put more than 256 characters.

Possible Solution

I guess that the regular expression on this line should check the max length too:

Maybe like this: '/^[a-zA-Z0-9,-]{22,256}$/'. According to the PHP doc :

session.sid_length int
session.sid_length allows you to specify the length of session ID string. Session ID length can be between 22 to 256. The default is 32. If you need compatibility you may specify 32, 40, etc. Longer session ID is harder to guess. At least 32 chars are recommended.

Additional Context

Related PR: #46249.

No response