[HttpFoundation] [Session] Overwrite invalid session id.

peter17 · peter17 · commit 60154cec0265 · 2022-05-14T21:05:43.000+02:00
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -152,6 +152,14 @@ public function start()
             throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
         }
 
+        $sessionName = session_name();
+        $sessionId = $_COOKIE[$sessionName] ?? null;
+        // validate according to https://www.php.net/manual/fr/function.session-start.php
+        if ($sessionId && !preg_match('/^[a-zA-Z0-9,\-]{1,123}$/', $sessionId)) {
+            // the session ID in the header is invalid, create a new one
+            session_id(session_create_id());
+        }
+
         // ok to try and start the session
         if (!session_start()) {
             throw new \RuntimeException('Failed to start the session.');
