0

I have this function:

public static function sessionStart()
{
    try {
        if (ini_get('session.use_cookies') && isset($_COOKIE['PHPSESSID'])) {
            $sessid = $_COOKIE['PHPSESSID'];
        } elseif (!ini_get('session.use_only_cookies') && isset($_GET['PHPSESSID'])) {
            $sessid = $_GET['PHPSESSID'];
        } else {
            session_start();
            return false;
        }

        if (preg_match('/[^a-zA-Z0-9\-]{32}/i', $sessid)) {
            return false;
        }
        session_start();

        return true;
    } catch (Exception $ex) {
        return false;
    }
}

However, in some cases, session_start still throws a warning. How could I validate the session id so I will never get warnings? The problem started to creep in when I changed PHP version from 5.3 to 5.6.

Warning:

The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'

Lajos Arpad
  • 64,414
  • 37
  • 100
  • 175

1 Answers1

1

One solution is to use the PHP error control operator:

@session_start();

If you want to validate that it started properly, just return the bool from that:

return @session_start();

(As stated in the documentation:)

This function returns TRUE if a session was successfully started, otherwise FALSE.

It also appears that your function checking for regex is also incorrect, I've updated it below:

!preg_match('/^[a-z0-9\-]{32}$/i', $sess)

You can see the results here.

  • I do not want to suppress the warning. I want to prevent it. The thing bugging me is that I am calling session_start with invalid session id. Either too long or there is some other problem. – Lajos Arpad Mar 21 '15 at 15:24
  • 1
    Also, try changing your preg_match around, (It doesn't seem to be matching correctly: http://www.tehplayground.com/#6ZYnn9VKL `!preg_match('/^[a-z0-9\-]{32}$/i', $sess)`, although you may want to check [this](http://stackoverflow.com/questions/12240922/what-is-the-length-of-a-php-session-id-string), as it may not be exactly 32 chars. (You should let session_start() do the checking IMO). Let me know the exact warning, and I can help out further. –  Mar 21 '15 at 15:36
  • I have no clue about regexp syntax, so your last comment might have a valid point – Lajos Arpad Mar 21 '15 at 16:10
  • I will have to wait to see whether this is really working. It seems to be good, but I will return after testing, hopefully soon to this question – Lajos Arpad Mar 21 '15 at 16:49
  • Danbopes, it seems that if (preg_match('/^[a-z0-9\-]{32}$/i', $sessid)) { was the solution. If you edit your answer with the prevention of the problem instead of the suppression of the error message, then I will accept it, as it seems to be the solution. If I do not cancel the acceptance of the solution tomorrow, then it is final. – Lajos Arpad Mar 21 '15 at 16:57
  • Edited my original answer. –  Mar 21 '15 at 17:23
  • Unfortunately I have got the same warning. Maybe the limit is not 32 characters. I will have to check that. – Lajos Arpad Mar 22 '15 at 12:08
  • Your regexp does not take big letters into account. Unfortunately I cannot accept the answer yet. – Lajos Arpad Mar 22 '15 at 12:14
  • I have found out that there is a problem with the size. The length is of 26 characters, not 32. My question is: Why do you think it is better to use this regexp: /^[a-z0-9\-]{26}$/i than this regexp: /[^a-zA-Z0-9\-]{26}/i. The difference is that in the first, the ^ is outside the square brackets and in the second big letters are taken into account as well. – Lajos Arpad Mar 22 '15 at 12:57
  • My regex did take big letters into account (Hence the i at the end, meaning a case insensitive search). My regex searches for an exact string of a-z 0-9 with dashes that is 32 (Or in your case 26 characters), looking for the exact length of your session id (Although, I don't believe it should search for dashes either). –  Mar 22 '15 at 16:36