Disallow "." in session.name

PHP saves cookie with correct name, but upon deserialization to $_COOKIE, it replaces "." characters with "_". This is probably also reason why \SessionHandler is not able to find a session. https://harrybailey.com/2009/04/dots-arent-allowed-in-php-cookie-names/ https://bugs.php.net/bug.php?id=75883
symfony · May 12, 2018 · 1548744 · 1548744
1 parent 00c61da
commit 1548744
Showing 1 changed file with 6 additions and 1 deletion.
diff --git a/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php b/src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Configuration.php
@@ -339,7 +339,12 @@ private function addSessionSection(ArrayNodeDefinition $rootNode)
                     ->children()
                         ->scalarNode('storage_id')->defaultValue('session.storage.native')->end()
                         ->scalarNode('handler_id')->defaultValue('session.handler.native_file')->end()
-                        ->scalarNode('name')->end()
+                        ->scalarNode('name')
+                            ->validate()
+                                ->ifTrue(function ($v) { return false !== strpos($v, '.'); })
+                                ->thenInvalid('Session name can not contain character "."')
+                            ->end()
+                        ->end()
                         ->scalarNode('cookie_lifetime')->end()
                         ->scalarNode('cookie_path')->end()
                         ->scalarNode('cookie_domain')->end()