Why does generating a new session return an empty string?

P

pokirfase2015-06-02 14:09:20

PHP

pokirfase, 2015-06-02 14:09:20

Good afternoon! I can’t track down why some users don’t create a normal session in the logs. The logs
are full of errors:

[error] 11917#0: *11702441 FastCGI sent in stderr: "PHP message: PHP Warning: session_start(): The session id is too long or contains illegal characters, valid characters are az, AZ, 0-9 and '-, ' in {FILE} on line {LINE}" while reading response header from upstream, client: {IP}, server: example.ru, request: "GET {URL} HTTP/1.1", upstream: "fastcgi://unix :/tmp/wwwpool.sock:", host: "example.ru"
[error] 11917#0: *11702441 FastCGI sent in stderr: "PHP message: PHP Warning: Unknown: The session id is too long or contains illegal characters , valid characters are az, AZ, 0-9 and '-,' in Unknown on line 0
PHP message: PHP Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (/var/lib/php5) in Unknown on line 0" while reading upstream, client: {IP}, server: example.ru, request: "GET {URL} HTTP /1.1", upstream: "fastcgi://unix:/tmp/wwwpool.sock:", host: "example.ru"

I made the following code for the log of such errors:

if (!preg_match('/^([a-z0-9]+)$/', session_id())) {
    //session_id(); // string ''
}

What can be wrong?
The rights to the directory 733. if there was something with the rights, then everyone would not work. but only for some users. The log is littered with these warings. Thank you!

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Rytikov, 2015-06-02
@chlp

What version of PHP? Maybe a PHP bug https://bugs.php.net/bug.php?id=68063 and it's just time to upgrade?
Or check the success of session_start() and generate your own if it fails.
Or if these errors are output to users, then the attacker specifically stuffs incorrect characters into cookies in session_id and gets an error in order to look at the paths.