From 8c37a086c78a66517967fcb809fb53297becfe42 Mon Sep 17 00:00:00 2001
From: Yasuo Ohgaki <yohgaki@php.net>
Date: Fri, 15 Jan 2016 09:45:08 +0900
Subject: [PATCH] Improved fix for bug #68063 (Empty session IDs do still start
 sessions).

---
 NEWS                            |  1 +
 ext/session/session.c           |  9 ++++-----
 ext/session/tests/bug68063.phpt | 14 +++++++++-----
 3 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/NEWS b/NEWS
index d9738749a7..b5771a4f69 100644
--- a/NEWS
+++ b/NEWS
@@ -22,6 +22,7 @@ PHP                                                                        NEWS
     on the same server). (Anatol)
 
 - Session:
+  . Improved fix for bug #68063 (Empty session IDs do still start sessions). (Yasuo)
   . Fixed bug #71122 (Session GC may not remove obsolete session data). (Yasuo)
   . Fixed bug #71038 (session_start() returns TRUE on failure).
     It's fixed partially on PHP 5.6. It still returns TRUE on session read
diff --git a/ext/session/session.c b/ext/session/session.c
index 53e22c252e..ffb6fb381b 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -512,7 +512,10 @@ static void php_session_initialize(TSRMLS_D) /* {{{ */
 	}
 
 	/* If there is no ID, use session module to create one */
-	if (!PS(id)) {
+	if (!PS(id) || !PS(id)[0]) {
+		if (PS(id)) {
+			efree(PS(id));
+		}
 		PS(id) = PS(mod)->s_create_sid(&PS(mod_data), NULL TSRMLS_CC);
 		if (!PS(id)) {
 			php_session_abort(TSRMLS_C);
@@ -2102,10 +2105,6 @@ static PHP_FUNCTION(session_decode)
 static PHP_FUNCTION(session_start)
 {
 	/* skipping check for non-zero args for performance reasons here ?*/
-	if (PS(id) && !strlen(PS(id))) {
-		php_error_docref(NULL TSRMLS_CC, E_WARNING, "Cannot start session with empty session ID");
-		RETURN_FALSE;
-	}
 
 	php_session_start(TSRMLS_C);
 
diff --git a/ext/session/tests/bug68063.phpt b/ext/session/tests/bug68063.phpt
index d3da470d06..ec3a70d156 100644
--- a/ext/session/tests/bug68063.phpt
+++ b/ext/session/tests/bug68063.phpt
@@ -3,18 +3,22 @@ Bug #68063 (Empty session IDs do still start sessions)
 --SKIPIF--
 <?php include('skipif.inc'); ?>
 --INI--
+session.use_strict_mode=0
+session.hash_function=1
+session.hash_bits_per_character=4
 --FILE--
 <?php
+// Empty session ID may happen by browser bugs
+
 // Could also be set with a cookie like "PHPSESSID=; path=/"
 session_id('');
 
-// Will still start the session and return true
+// Start the session with empty string should result in new session ID
 var_dump(session_start());
 
-// Returns an empty string
+// Returns newly created session ID
 var_dump(session_id());
 ?>
 --EXPECTF--
-Warning: session_start(): Cannot start session with empty session ID in %s on line %d
-bool(false)
-string(0) ""
+bool(true)
+string(40) "%s"
-- 
2.40.0