View Issue Details

IDProjectCategoryView StatusLast Update
0004683OXID eShop (all versions)4.02. Session handlingpublic2018-12-05 14:57
Reporteralfonsas_cirtautas 
PriorityhighSeverityminorReproducibilityalways
Status closedResolutionunable to reproduce 
Product Version4.7.0_5.0.0_RC2 
Target VersionFixed in Version 
Summary0004683: PHP Warning is produced when session cookies are disabled and form with empty force_sid is submitted
DescriptionWhen session cookie usage is disable in config.inc.php using $this->blSessionUseCookies = false and production server is misconfigured (showing errors/warnings to users, instead of log) user can get a Warning.

It is just a warning, shop functionality is not broken by this issue.
Steps To ReproduceDisable cookie usage in config.inc.php

$this->blSessionUseCookies = false;

Try to Login with clean browser (no previous shop sessions or cookies)

Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in .../core/oxconfig.php on line 902
Additional InformationFixes can be applied to several places,

oxconfig::getShopId() and oxsession::hiddenSid()
TagsCookies
ThemeNot defined
BrowserAll
PHP VersionNot defined
MySQL VersionNot defined

Activities

martinwegele

2014-10-20 12:20

reporter   ~0010252

reproduced on 5.1.6:
$this->blSessionUseCookies = false in config.inc.php
added an invalid parameter like % to force_sid in the URL
-> PHP warning is displayed (or written to the log file)

QA

2018-12-05 14:57

administrator   ~0012725

-MK