php 会话ID太长或包含非法字符,有效字符为az、AZ、0-9和'-,'
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3185779/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
提问by Nandini Bhaduri
How to solve :
怎么解决 :
Warning: session_start() [function.session-start]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in ..... on line 3
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at ......:3) in ..... on line 3
Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at .....:3) in ..... on line 3
警告:session_start() [function.session-start]: session id 太长或包含非法字符,有效字符为 az, AZ, 0-9 和 '-,' in ..... on 第 3 行
警告:session_start() [function.session-start]:无法发送会话 cookie - 第 3 行中的(输出开始于 ......:3)已发送的标头
警告:session_start() [function.session-start]:无法发送会话缓存限制器 - 第 3 行中的头文件已发送(输出开始于 .....:3)
采纳答案by Sergey Eremin
have a look at this session_start()discussionfor a work-around:
看看这个session_start()讨论的解决方法:
session_start()generate a warning if PHPSESSID contains illegal charactersWarning: session_start() [function.session-start]: The session id contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in /home/para/dev/mon_site/header.php on line 17
To avoid i wrote this :
<?php function my_session_start() { if (ini_get('session.use_cookies') && isset($_COOKIE['PHPSESSID'])) { $sessid = $_COOKIE['PHPSESSID']; } elseif (!ini_get('session.use_only_cookies') && isset($_GET['PHPSESSID'])) { $sessid = $_GET['PHPSESSID']; } else { session_start(); return false; } if (!preg_match('/^[a-z0-9]{32}$/', $sessid)) { return false; } session_start(); return true; } ?>
session_start()如果 PHPSESSID 包含非法字符,则生成警告警告:session_start() [function.session-start]: session id 包含非法字符,有效字符为 az, AZ, 0-9 和 '-,' in /home/para/dev/mon_site/header.php 17
为了避免我写了这个:
<?php function my_session_start() { if (ini_get('session.use_cookies') && isset($_COOKIE['PHPSESSID'])) { $sessid = $_COOKIE['PHPSESSID']; } elseif (!ini_get('session.use_only_cookies') && isset($_GET['PHPSESSID'])) { $sessid = $_GET['PHPSESSID']; } else { session_start(); return false; } if (!preg_match('/^[a-z0-9]{32}$/', $sessid)) { return false; } session_start(); return true; } ?>
回答by EvilThinker
It is an information vulnerability: a malicious attacker may alter the cookies and assign illegal characters to PHPSESSID to expose this PHP warning, which in fact contains juicy information like the file path and the username!
这是一个信息漏洞:恶意攻击者可能会修改cookies并为PHPSESSID分配非法字符来暴露这个PHP警告,该警告实际上包含文件路径和用户名等多汁信息!
回答by alpere
There is a bug report for this problem (https://bugs.php.net/bug.php?id=68063)
这个问题有一个错误报告(https://bugs.php.net/bug.php?id=68063)
You can check the success of your session_start and generate the id if needed:
您可以检查 session_start 是否成功并在需要时生成 id:
$ok = @session_start();
if(!$ok){
session_regenerate_id(true); // replace the Session ID
session_start();
}
回答by Cendak
I edited Andron's previous solution! (fix returned value) and added the evaluation output of my_session_start(). Previous solution solve problem with error message, but I need have to session started.
我编辑了Andron 以前的解决方案!(修复返回值)并添加了 my_session_start() 的评估输出。以前的解决方案解决了错误消息的问题,但我需要启动会话。
/**
* @return boolean return TRUE if a session was successfully started
*/
function my_session_start()
{
$sn = session_name();
if (isset($_COOKIE[$sn])) {
$sessid = $_COOKIE[$sn];
} else if (isset($_GET[$sn])) {
$sessid = $_GET[$sn];
} else {
return session_start();
}
if (!preg_match('/^[a-zA-Z0-9,\-]{22,40}$/', $sessid)) {
return false;
}
return session_start();
}
if ( !my_session_start() ) {
session_id( uniqid() );
session_start();
session_regenerate_id();
}
回答by Andron
I suggest to use "more correct" version of the function.
我建议使用该函数的“更正确”版本。
Several notes:
几个注意事项:
- More correct regular expression (allows characters in the range a-z A-Z 0-9 , (comma) and - (minus)) as described here.
Regular expression depends on the php ini settings, like described hereand here. - Use session name method
So updated version looks like this:
所以更新的版本看起来像这样:
<?php
function my_session_start()
{
$sn = session_name();
if (isset($_COOKIE[$sn])) {
$sessid = $_COOKIE[$sn];
} else if (isset($_GET[$sn])) {
$sessid = $_GET[$sn];
} else {
session_start();
return false;
}
if (!preg_match('/^[a-zA-Z0-9,\-]{22,40}$/', $sessid)) {
return false;
}
session_start();
return true;
}
?>
回答by Shaobo Wang
If you don't care about other users (for example: if it's a private interface), just check you browser, find the cookie PHPSESSID (or the name you gave it), delete it, and refresh.
如果您不关心其他用户(例如:如果它是私有接口),只需检查您的浏览器,找到 cookie PHPSESSID(或您给它的名称),将其删除,然后刷新。
回答by danjfoley
I came with up this simple method, just try and catch the session start, and if there is a problem regenerate the session.
我想出了这个简单的方法,试着抓住会话开始,如果有问题,重新生成会话。
try {
session_start();
} catch(ErrorExpression $e) {
session_regenerate_id();
session_start();
}
