[HttpFoundation][Session] Ignore invalid session id.

peter17 · peter17 · commit 8c4b72b3b9a5 · 2022-05-04T14:48:51.000+02:00
diff --git a/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php b/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
@@ -152,6 +152,13 @@ public function start()
             throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
         }
 
+        $sessionName = session_name();
+        $sessionId = $_COOKIE[$sessionName] ?? null;
+        // validate according to https://www.php.net/manual/fr/function.session-start.php
+        if ($sessionId && !preg_match('/^[a-zA-Z0-9,\-]{1,123}$/', $sessionId)) {
+            unset($_COOKIE[$sessionName]);
+        }
+
         // ok to try and start the session
         if (!session_start()) {
             throw new \RuntimeException('Failed to start the session.');
