Issues

ZF-12465: Session::_checkId() fails ID validation in specific circumstances

Description

Due to changes introduced in 1.12, the session identifiers used under Zend Server's "cluster" session save handler are no longer valid (they contain a "-", which is specifically stripped out by _checkId()).

The actual identifier is a subsection of the identifier in this particular scenario, as one segment identifies the server on which it was originally registered.

Comments

The following patch corrects the issue:

{code) diff -u -r Zend/Session.php Zend.patched/Session.php --- Zend/Session.php 2012-05-28 22:25:03.000000000 +0300 +++ Zend.patched/Session.php 2012-11-07 14:01:49.840266000 +0200 @@ -516,6 +516,15 @@ protected static function _checkId($id) { $hashBitsPerChar = ini_get('session.hash_bits_per_character'); + $saveHandler = ini_get('session.save_handler'); + + if ($saveHandler == 'cluster') { // Zend Server SC, validate only after last dash + $dashPos = strrpos($id, '-'); + if ($dashPos) { + $id = substr($id, $dashPos+1); + } + } + if (!$hashBitsPerChar) { $hashBitsPerChar = 5; // the default value } ```

Merged to master and 1.12 branch.