Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Allow uppercase letters, as well as commas and minus signs in session IDs #77

Merged
merged 1 commit into from

2 participants

Daniel Rench dimkalinux
Daniel Rench

I am running punbb on the same domain as another application, and I noticed sessions getting clobbered. I realize punbb always sets the hash argument to true when calling random_key(), making the existing regex work, but in my situation, I am deliberately sharing punbb sessions with this other application. The session IDs PHP's file session handler generates can contain uppercase letters, as well as commas and minus signs (see http://www.php.net/manual/en/function.session-id.php).

As a workaround I could write a fn_forum_session_start_start hook to override forum_session_start() but I'd like you to consider loosening the regex as in this patch.

Daniel Rench drench Allow uppercase letters, '-' and ',' in session ID
ref: http://www.php.net/manual/en/function.session-id.php
"The , (comma) and - (minus) characters are allowed in the file session handler."
d297112
dimkalinux dimkalinux merged commit a7228f0 into from
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Apr 29, 2012
  1. Daniel Rench

    Allow uppercase letters, '-' and ',' in session ID

    drench authored
    ref: http://www.php.net/manual/en/function.session-id.php
    "The , (comma) and - (minus) characters are allowed in the file session handler."
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  include/functions.php
2  include/functions.php
View
@@ -53,7 +53,7 @@ function forum_session_start() {
else if (isset($_GET['PHPSESSID']))
$forum_session_id = $_GET['PHPSESSID'];
- if (empty($forum_session_id) || !preg_match('/^[a-z0-9]{16,32}$/', $forum_session_id))
+ if (empty($forum_session_id) || !preg_match('/^[a-z0-9\-,]{16,32}$/i', $forum_session_id))
{
// Create new session id
$forum_session_id = random_key(32, FALSE, TRUE);
Something went wrong with that request. Please try again.