发表新帖
发表新帖

The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

后端 未结
关注
7 1754
情歌与酒
情歌与酒 2020-11-27 17:12

How to solve :

Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-

相关标签:
7条回答
  • 予麋鹿
    2020-11-27 17:30

    It is an information vulnerability: a malicious attacker may alter the cookies and assign illegal characters to PHPSESSID to expose this PHP warning, which in fact contains juicy information like the file path and the username!

    0 讨论(0)
  • 隐瞒了意图╮
    2020-11-27 17:31

    There is a bug report for this problem (https://bugs.php.net/bug.php?id=68063)

    You can check the success of your session_start and generate the id if needed:

    $ok = @session_start();
if(!$ok){
session_regenerate_id(true); // replace the Session ID
session_start(); 
}
    0 讨论(0)
  • 误落风尘
    2020-11-27 17:33

    I edited Andron's previous solution! (fix returned value) and added the evaluation output of my_session_start(). Previous solution solve problem with error message, but I need have to session started.

    /**
 * @return boolean return TRUE if a session was successfully started
 */        
function my_session_start()
{
      $sn = session_name();
      if (isset($_COOKIE[$sn])) {
          $sessid = $_COOKIE[$sn];
      } else if (isset($_GET[$sn])) {
          $sessid = $_GET[$sn];
      } else {
          return session_start();
      }

     if (!preg_match('/^[a-zA-Z0-9,\-]{22,40}$/', $sessid)) {
          return false;
      }
      return session_start();
}

if ( !my_session_start() ) {
    session_id( uniqid() );
    session_start();
    session_regenerate_id();
}
    0 讨论(0)
  • 不要未来只要你来
    2020-11-27 17:38

    I came with up this simple method, just try and catch the session start, and if there is a problem regenerate the session.

    try {
   session_start();
} catch(ErrorExpression $e) {
   session_regenerate_id();
   session_start();
}
    0 讨论(0)
  • 说谎
    2020-11-27 17:43

    have a look at this session_start() discussion for a work-around:

    session_start() generate a warning if PHPSESSID contains illegal characters

    Warning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/para/dev/mon_site/header.php on line 17

    To avoid i wrote this :

       <?php
        function my_session_start()
        {
            if (ini_get('session.use_cookies') && isset($_COOKIE['PHPSESSID'])) {
                $sessid = $_COOKIE['PHPSESSID'];
            } elseif (!ini_get('session.use_only_cookies') && isset($_GET['PHPSESSID'])) {
                $sessid = $_GET['PHPSESSID'];
            } else {
                session_start();
                return false;
            }

           if (!preg_match('/^[a-z0-9]{32}$/', $sessid)) {
                return false;
            }
            session_start();

           return true;
        }
    ?>
    0 讨论(0)
  • 不思量自难忘°
    2020-11-27 17:49

    If you don't care about other users (for example: if it's a private interface), just check you browser, find the cookie PHPSESSID (or the name you gave it), delete it, and refresh.

    0 讨论(0)
 看不清?
提交回复
热议问题