PHPSESSID default length

Question

I'm trying to check the value of the PHPSESSID before session_start() is called. I don't like messages like these. session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in

Illegal characters can be filtered by a simple regex preg_replace("/[^a-zA-Z0-9]/", "", $input_lines);

But how do I check the max length? On my local XAMPP installation, I get a 26 character PHPSESSID, but on the deployment server I'm getting a 32 characters PHPSESSID.

The PHP manual is only saying something about the allowed characters, but noting about the length.

Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range a-z A-Z 0-9 , (comma) and - (minus)!

EDIT The big issue in this case is that this throws a warning, even with error_reporting disabled. The error also throws out the path of the file location. And that is unwanted!

Spontaneously, I'd say this sounds like a bad idea. If you don't like the message, I'd try to get rid of that message somehow (but not sure if or how that's possible). I would however not preprocess the session id before handing it to session_start(), that sounds like it could introduce security vulnerabilities or other problems. Even if it wouldn't, that wouldn't be nice code, as it should be the session provider's secret what a valid session is an what isn't. — Misch, Dec 03 '14 at 10:21
And then the next version of php does it differently and you or your "heir" will fix all installations of that script? — VolkerK, Dec 03 '14 at 10:21
Oke I understand, but I want to protect the sessionID for security vulnarabilities. Now users can change the sessionID with other code. This does not affect the server, but the code throws an error that I don't want to see. — Timo002, Dec 03 '14 at 10:23
If a user voluntarily trys to break your application by fiddling with the session id, what's the problem of displaying an ugly message to him? Won't affect "normal" users in any way — Misch, Dec 03 '14 at 10:25
@Misch that's true, normal users won't see this. But I run a security scan on my website and it's complaining about this. And the warning is still shown, also having `error_reporting(0); ini_set('display_errors', 0);` set. — Timo002, Dec 03 '14 at 10:27
I would follow the above advices. Basically it sounds like you're trying to hack the standard PHP behaviour. Your security concerns should happen at a higher level. — Christian Bonato, Dec 03 '14 at 10:30
@Timo002 Well then your problem is, that for some reason disabling the error_reporting didn't work. I guess you'll find many questions having similar problems, but that will be a totally different question. — Misch, Dec 03 '14 at 10:35

score 1 · Answer 1 · edited May 23 '17 at 12:27

The exact characteristics of a session id depend on the session handler you use.

On your production environment you might have a different session handler (for instance, one that adds encryption, or stores the session infor in a different place, requiring different keys). Also, the max length doesn't say that every id should be that exact length, so even with the same session handler, the different ids could be valid.

To my knowledge, there is no way to 'ask' a session handler whether the id is valid or what characteristics it supports, so personally I wouldn't verify the id, but just try to load the session and catch the message if it fails, after which you can either proceed without a session, or close the request gracefully.

If you still think it's a good idea to check the session id yourself, you might have a look at this question, where people attempted to solve the problem by applying a regular expression.

score 1 · Accepted Answer · edited May 23 '17 at 10:26

1

As said in my comments, it is probbably best not to do what you initially wanted to do. Instead, try turning the warning of.

You can configure what errors or warnings php prints and/or logs: PHP Error reporting, PHP display errors, PHP Log errors

edited May 23 '17 at 10:26

Community

1
1

answered Dec 03 '14 at 10:32

Misch

10,350
4
35
49

I have disabled showing any error. `error_reporting(0); ini_set('display_errors', 0);` And it works for all error's I've found so far. But not this particular one. Doing this is working fine at the moment `@session_start();` – Timo002 Dec 03 '14 at 10:38

Saic Siquot · Answer 3 · 2014-12-03T11:35:04.360

I totaly agree with @Misch diagnose, but I think that the solution must be other. After you detect an invalid PHPSESSID, just die() the script. When you are under an attack or under security test (that emulates an attack) there is no need to output any content. The sequence should be:

check a valid PHPSESSID cookie
if it is not valid {
    set a valid arbitrary new PHPSESSID cookie  // this is a courtesy, and a sign that you manage the issue
    die()
}
start the session

For the length question, as was say, there are different values possibles for different handlers, just observe your values on valid sessions and use that length.

score 0 · Answer 4 · answered Oct 04 '19 at 17:40

0

You can specify session.sid_length=... in your php.ini file. Check which ini file is being used through phpinfo();.

Once you make the change, don't forget to restart your Apache and clear cookies on the site that you're testing.

answered Oct 04 '19 at 17:40

afilina

878
1
11
25

PHPSESSID default length

4 Answers4