Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit d8f84c7

Browse files
peter17peter17
committed
[HttpFoundation] [Session] Overwrite invalid session id
1 parent ce4a1a9 commit d8f84c7

File tree

2 files changed

+15
-0
lines changed

2 files changed

+15
-0
lines changed

src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -152,6 +152,12 @@ public function start()
152152
throw new \RuntimeException(sprintf('Failed to start the session because headers have already been sent by "%s" at line %d.', $file, $line));
153153
}
154154

155+
$sessionId = $_COOKIE[session_name()] ?? null;
156+
if ($sessionId && !preg_match('/^[a-zA-Z0-9,-]{22,}$/', $sessionId)) {
157+
// the session ID in the header is invalid, create a new one
158+
session_id(session_create_id());
159+
}
160+
155161
// ok to try and start the session
156162
if (!session_start()) {
157163
throw new \RuntimeException('Failed to start the session.');

src/Symfony/Component/HttpFoundation/Tests/Session/Storage/NativeSessionStorageTest.php

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -293,4 +293,13 @@ public function testGetBagsOnceSessionStartedIsIgnored()
293293

294294
$this->assertEquals($storage->getBag('flashes'), $bag);
295295
}
296+
297+
public function testRegenerateInvalidSessionId()
298+
{
299+
$_COOKIE[session_name()] = '&~[';
300+
$started = (new NativeSessionStorage())->start();
301+
302+
$this->assertTrue($started);
303+
$this->assertMatchesRegularExpression('/^[a-zA-Z0-9,-]{22,}$/', session_id());
304+
}
296305
}

0 commit comments

Comments
 (0)