Thanks to visit codestin.com
Credit goes to github.com

Skip to content

The session id is too long or contains illegal characters #45755

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
e1sep0 opened this issue Mar 16, 2022 · 7 comments
Closed

The session id is too long or contains illegal characters #45755

e1sep0 opened this issue Mar 16, 2022 · 7 comments
Labels
Bug HttpFoundation Status: Needs Review

Comments

@e1sep0
Copy link

e1sep0 commented Mar 16, 2022

Symfony version(s) affected

5.4.6

Description

Hi, have a problem in my project. Sometimes in log i see such messages:

[2022-03-16T03:49:44.259705+03:00] php.WARNING: Warning: SessionHandler::read(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' {"exception":"[object] (ErrorException(code: 0): Warning: SessionHandler::read(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' at /var/www/vendor/symfony/http-foundation/Session/Storage/Handler/StrictSessionHandler.php:49)"} []
[2022-03-16T03:49:44.259791+03:00] php.WARNING: Warning: session_start(): Failed to read session data: user (path: /var/www/var/sessions/prod) {"exception":"[object] (ErrorException(code: 0): Warning: session_start(): Failed to read session data: user (path: /var/www/var/sessions/prod) at /var/www/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php:149)"} []
[2022-03-16T03:49:44.266919+03:00] request.CRITICAL: Uncaught PHP Exception RuntimeException: "Failed to start the session." at /var/www/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php line 150 {"exception":"[object] (RuntimeException(code: 0): Failed to start the session. at /var/www/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php:150)"} []

Framework config:

framework:
    secret: '%env(APP_SECRET)%'

    session:
        handler_id: session.handler.native_file
        save_path: '%kernel.project_dir%/var/sessions/%kernel.environment%'
        cookie_lifetime: 1814400
        gc_maxlifetime: 1814400
        name: LIFESESSID
        cookie_secure: 'auto'
        cookie_samesite: 'strict'
        storage_factory_id: session.storage.factory.native

    php_errors:
        log: true

How can i fix it ? Ive read that its bug of php, but maybe you know about fixing this problem in symfony ?

How to reproduce

I can`t reproduce this error, but i think, could manually set session_id and get error

Possible Solution

I think about writing a simple wrapper around NativeSessionStorage that will check the validity of the session ID before calling the handler.

Additional Context

No response
@e1sep0 e1sep0 added the Bug label Mar 16, 2022
@xabbuh
Copy link
Member

xabbuh commented Mar 18, 2022

Silencing session_start() in NativeSessionStorage would probably help, wouldn't it?

@e1sep0
Copy link
Author

e1sep0 commented Mar 18, 2022

Silencing ? Could you explain your answer ?

@xabbuh
Copy link
Member

xabbuh commented Mar 18, 2022

I was thinking about replacing

if (!session_start()) {
    throw new \RuntimeException('Failed to start the session.');
}

with

if (!@session_start()) {
    throw new \RuntimeException('Failed to start the session.');
}

@e1sep0
Copy link
Author

e1sep0 commented Mar 18, 2022

I'll try, thank you.But it will not avoid the error, only silence it ?
I've added to session config, so there couldn`t be this exception:

sid_bits_per_character: 5

Maybe somebody tried to hack service and manually change session_id to call error and get information from it, so your decision will be helpful

@e1sep0
Copy link
Author

e1sep0 commented Mar 21, 2022

Unfortunately error continues to appear in log:

request.CRITICAL: Uncaught PHP Exception RuntimeException: "Failed to start the session." at /var/www/doctors.kivach.ru/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php line 150 {"exception":"[object] (RuntimeException(code: 0): Failed to start the session. at /var/www/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php:150)"} []
[2022-03-21T12:44:19.551551+03:00] request.CRITICAL: Exception thrown when handling an exception (Twig\Error\RuntimeError: An exception has been thrown during the rendering of a template ("Failed to start the session."). at /var/www/templates/user/layout.html.twig line 23) {"exception":"[object] (Twig\\Error\\RuntimeError(code: 0): An exception has been thrown during the rendering of a template (\"Failed to start the session.\"). at /var/www/templates/user/layout.html.twig:23)\n[previous exception] [object] (RuntimeException(code: 0): Failed to start the session. at /var/www/vendor/symfony/http-foundation/Session/Storage/NativeSessionStorage.php:150)"} []

in NativeSessionStorage.php:

// ok to try and start the session
        if (!@session_start()) {
            throw new \RuntimeException('Failed to start the session.');
        }

@peter17
Copy link
Contributor

peter17 commented Apr 21, 2022

Silencing session_start in NativeSessionStorage works fine, which means the PHP ErrorException is replaced by the RuntimeException above.

But how can we catch that exception efficiently? There are a lot of places which can lead to this exception being thrown: for instance, in my application, it is triggered by a Twig file: {% if app.session.flashbag.peekAll|length > 0 %}...

I don't see how I can avoid a Twig\Error\RuntimeError if someone sends a request with an (forged) invalid PHPSESSID...

Any idea? Can something be done in Symfony? For instance a configuration parameter to tell Symfony to ignore invalid sessions and/or PHPSESSID?

Thanks in advance. Best regards

@peter17
Copy link
Contributor

peter17 commented Apr 21, 2022

NB: this problem seems to exist even on official Symfony websites, for instance:

$ curl 'https://certification.symfony.com/checkout/test/' -H 'Cookie: symfony=test~test' 
<!DOCTYPE html>
<html>
<head>
    <meta charset="UTF-8" />
    <meta name="robots" content="noindex,nofollow,noarchive" />
    <title>An Error Occurred: Internal Server Error</title>
    <style>body { background-color: #fff; color: #222; font: 16px/1.5 -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, "Helvetica Neue", Arial, sans-serif; margin: 0; }
.container { margin: 30px; max-width: 600px; }
h1 { color: #dc3545; font-size: 24px; }
h2 { font-size: 18px; }</style>
</head>
<body>
<div class="container">
    <h1>Oops! An Error Occurred</h1>
    <h2>The server returned a "500 Internal Server Error".</h2>

    <p>
        Something is broken. Please let us know what you were doing when this error occurred.
        We will fix it as soon as possible. Sorry for any inconvenience caused.
    </p>
</div>
</body>
</html>

I don't think there is any security issue here, but I find it quite annoying that someone can easily produce a 500 error on an application...

@peter17 peter17 mentioned this issue May 4, 2022
Merged
nicolas-grekas added a commit that referenced this issue May 17, 2022
@nicolas-grekas
bug #46249 [HttpFoundation] [Session] Regenerate invalid session id (…
b37fc1e 
…peter17)

This PR was merged into the 4.4 branch.

Discussion
----------

[HttpFoundation] [Session] Regenerate invalid session id

| Q             | A
| ------------- | ---
| Branch?       | 4.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #45755
| License       | MIT
| Doc PR        | no

Currently, having a PHPSESSID which does not match `/^[a-zA-Z0-9,\-]{1,123}$/` (see https://www.php.net/manual/fr/function.session-start.php) will produce a php.WARNING and then a RuntimeException (please read #45755).

I don't think there is a nice way to handle this so I propose to simply ignore invalid values.

With this PR, a value for PHPSESSID that does not match the regex will be ignored and a new session id will be generated. Then, the behavior will be the same as if no session existed, so a new session will be started and a new PHPSESSID will be defined.

It looks like Session storage is currently untested so I don't know how to test this...

Best regards

Commits
-------

d8f84c7 [HttpFoundation] [Session] Overwrite invalid session id
@jevrard jevrard mentioned this issue Jul 20, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpFoundation Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nicolas-grekas @peter17 @xabbuh @e1sep0 @carsonbot