New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redis session missing checking for setting of wrong session id (FIXING PATCH INSIDE) #88
Comments
Here is a patch fixing this issue misterion@9cb3aa7 |
@misterion Thanks! I'll try to merge this today. |
@misterion, after review I don't see any reason why we should limit the session key to these characters. Redis doesn't have this limitation. However, the empty string is indeed a special case that should probably be filtered out. What do you think? |
Yes, redis don`t have this limitation but in real world PHP session extension use these characters to generate session id. In general you can ignore this, but 'space', 'tab', control characters like '\r\n\a' must be filtered in any case. This is becouse of possibility of using php function like 'empty'. The more one reason to add limitation is a back compatibility for session id. I think that using files, sql, memcache or redis for session storage must produce the same results. So you can use or not this limitation but need to filter characters i write above. |
Nicolasff do you need some more information before merge this issue to master? |
Hey guys, I think it's really critical, because it allow someone grab your session.
Thanks! |
Hey, Interesting. I think disallowing empty sessions is the right way to go. I'll see about getting a hotfix up for this situation. Cheers, |
Is there a patch for redis 2.8.17? We currently have user logged in as different user because of empty session ID |
Is this fixed in 3.1.1? |
Using file or sql-lile session storage you got the warning if try to set empty session id.
Try this code
The result is 'Warning: Unknown: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in Unknown on line 0'
So at least you have a chance to locate problem in code and fix it. Using redis session you haven`t got this warning.
But the most important is the next thing.
Using original php handler you got something like this:
but with redis session you got the empty session which would be set to client!!!
The text was updated successfully, but these errors were encountered: