Fixed bug #68063 Empty session IDs do still start sessions

diff --git a/ext/session/session.c b/ext/session/session.c
index 2c4d5c0d4636e47a0dfb4f403c6c68534aeda9cd..9b609308ed121cfe655ee3ef605507336efb3983 100644 (file)
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -2053,6 +2053,11 @@ static PHP_FUNCTION(session_decode)
 static PHP_FUNCTION(session_start)
 {
        /* skipping check for non-zero args for performance reasons here ?*/
+       if (PS(id) && !strlen(PS(id))) {
+               php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID");
+               RETURN_FALSE;
+       }
+
        php_session_start(TSRMLS_C);
 
        if (PS(session_status) != php_session_active) {

diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt
new file mode 100644 (file)
index 0000000..d3da470
--- /dev/null
+++ b/ext/session/tests/bug68063.phpt
@@ -0,0 +1,20 @@
+--TEST--
+Bug #68063 (Empty session IDs do still start sessions)
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--INI--
+--FILE--
+<?php
+// Could also be set with a cookie like "PHPSESSID=; path=/"
+session_id('');
+
+// Will still start the session and return true
+var_dump(session_start());
+
+// Returns an empty string
+var_dump(session_id());
+?>
+--EXPECTF--
+Warning: session_start(): Cannot start session with empty session ID in %s on line %d
+bool(false)
+string(0) ""