Handling of values with periods in framework.session.name configuration #27023
Comments
fabpot
added a commit
that referenced
this issue
May 17, 2018
This PR was merged into the 2.7 branch. Discussion ---------- Disallow invalid characters in session.name | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #27023 | License | MIT | Doc PR | PHP saves cookie with correct name, but upon deserialization to `$_COOKIE`, it replaces "." characters with "_". This is probably also reason why \SessionHandler is not able to find a session. https://harrybailey.com/2009/04/dots-arent-allowed-in-php-cookie-names/ https://bugs.php.net/bug.php?id=75883 Commits ------- 16ebb43 Disallow illegal characters like "." in session.name
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Session#name will contain name as specified. However, cookie will be saved into attribute bag as "name_with_dots", so Symfony won't ever find corresponding session. This is apparently normal for global vars in PHP.
This is similar to #9009 and #6908. However, in this case it should be normalized/disallowed on Config level, otherwise it's not obvious why sessions don't work.
The text was updated successfully, but these errors were encountered: