ZF-12465: Session::_checkId() fails ID validation in specific circumstances

Issue Type: Bug Created: 2012-11-13T21:46:33.000+0000 Last Updated: 2012-12-18T20:08:28.000+0000 Status: Resolved Fix version(s): - 1.12.1 (18/Dec/12)

Reporter: Matthew Weier O'Phinney (matthew) Assignee: Matthew Weier O'Phinney (matthew) Tags: - Zend_Session

Related issues: Attachments:


Due to changes introduced in 1.12, the session identifiers used under Zend Server's "cluster" session save handler are no longer valid (they contain a "-", which is specifically stripped out by _checkId()).

The actual identifier is a subsection of the identifier in this particular scenario, as one segment identifies the server on which it was originally registered.


Posted by Matthew Weier O'Phinney (matthew) on 2012-11-13T21:47:01.000+0000

The following patch corrects the issue:

{code) diff -u -r Zend/Session.php Zend.patched/Session.php --- Zend/Session.php 2012-05-28 22:25:03.000000000 +0300 +++ Zend.patched/Session.php 2012-11-07 14:01:49.840266000 +0200 @@ -516,6 +516,15 @@ protected static function _checkId($id) { $hashBitsPerChar = ini_get('session.hash_bits_per_character'); + $saveHandler = ini_get('session.save_handler'); + + if ($saveHandler == 'cluster') { // Zend Server SC, validate only after last dash + $dashPos = strrpos($id, '-'); + if ($dashPos) { + $id = substr($id, $dashPos+1); + } + } + if (!$hashBitsPerChar) { $hashBitsPerChar = 5; // the default value } ```

Posted by Matthew Weier O'Phinney (matthew) on 2012-11-13T21:52:23.000+0000

Merged to master and 1.12 branch.

Have you found an issue?

See the Overview section for more details.


© 2006-2018 by Zend, a Rogue Wave Company. Made with by awesome contributors.

This website is built using zend-expressive and it runs on PHP 7.