Disallow characters that Cookie RFC does not allow in unquoted cookies

diff --git a/ext/session/session.c b/ext/session/session.c
index b249f3a758091a505ff52126097e79447836e97f..3d87a423c577b62d57cb09120fe734259ee95665 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -807,7 +807,7 @@ static void php_session_initialize(TSRMLS_D)
        int vallen;
 
        /* check session name for invalid characters */
-       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\")) {
+       if (PS(id) && strpbrk(PS(id), "\r\n\t <>'\"\\()@,;:[]?={}&%")) {
                efree(PS(id));
                PS(id) = NULL;
        }