0

I am getting a random warning with the following text:

The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in...

In such cases $_COOKIE dump looks like this:

array (
    'PHPSESSID' => '0t4qiq1ec36teca0l2ph74qq94,PHPSESSID=0t4qiq1ec36teca0l2ph74qq94,PHPSESSID=0t4qiq1ec36teca0l2ph74qq94,PHPSESSID=0t4qiq1ec36teca0l2ph74qq94',
)

Is it a bug or some kind of hacking attempt?

Edit The issue is gone after I've found an infinite redirect on the site under some conditions at the login page.

CamaroSS
  • 493
  • 2
  • 6
  • 16
  • 1
    Looking at that output its almost certainly the case that you are appending your session id over and over again. See how many Session ids that string contains. Where do you set it? and why would you set it manually – Hanky Panky Feb 26 '15 at 06:33
  • `setcookie` is used for PHPSESSID only once - to destroy it in the logout script (empty value, expiration time in the past). Session always starts with `session_start`. – CamaroSS Feb 26 '15 at 06:37
  • You don't have to manually set the session cookie. – Hanky Panky Feb 26 '15 at 06:38
  • I only manually UNset it. – CamaroSS Feb 26 '15 at 06:51

1 Answers1

1

If you notice, your cookie value itself repeating session id with cookie name again & again.

This may happen if someone tried to inject in someway.

You can read about session related vulnerabilities here: https://stackoverflow.com/a/5081453/2004910

Community
  • 1
  • 1
Apul Gupta
  • 3,044
  • 3
  • 22
  • 30