[HttpFoundation] Update "[Session] Overwrite invalid session id" to only validate when files session storage is used #46678
Conversation
carsonbot
changed the title
|
Also I think the original fix is a bit awkward because it results in session data loss - see the fail test runs on https://www.drupal.org/project/drupal/issues/3285696. It's possible for a session handler to have it's own method for generating IDs - see SessionIdInterface and there are no restrictions about the characters that can return. What is valid is determined by how the session is stored. The a-z A-Z 0-9 , (comma) and - (minus) and length restrictions only exist for PHP's built in file session storage. |
|
Slightly different approach prompted by @nicolas-grekas - targeting just the NativeFileSessionHandler or if somehow PHP's file session storage is being used. |
alexpott
changed the title
src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php
Outdated
Show resolved
Hide resolved
…nly validate when files session storage is used
nicolas-grekas
requested review from
lyrixx,
yceruto,
wouterj,
chalasr,
dunglas and
xabbuh
as code owners
nicolas-grekas
force-pushed
the
revert-46249
branch
from
cf5802f
to
12460fa
Compare
|
Thank you @alexpott. |
|
I use native PHP storage and default PHP save handler with configuration like this : # framework.yml
framework:
session:
handler_id: null
storage_factory_id: session.storage.factory.nativeUnfortunately, the |
#46249 restricts the allowed characters in a session ID. Unfortunately this broke at least two open source projects the use the Symfony component. See nelmio/NelmioSecurityBundle#312 and https://www.drupal.org/project/drupal/issues/3285696
I think the change is not quite correct. It assumes that the valid characters in a session ID is consistent across all session handlers. It is not. See https://www.php.net/manual/en/function.session-id.php it says:
So we've limited the characters to the file session handler but we might not be using that.