0004683: PHP Warning is produced when session cookies are disabled and form with empty force_sid is submitted

ID	Project	Category	View Status	Date Submitted	Last Update

0004683	OXID eShop (all versions)	4.02. Session handling	public	2012-11-05 13:27	2018-12-05 14:57

Reporter	alfonsas_cirtautas	Assigned To
Priority	high	Severity	minor	Reproducibility	always
Status	closed	Resolution	unable to reproduce
Product Version	4.7.0_5.0.0_RC2

Summary	0004683: PHP Warning is produced when session cookies are disabled and form with empty force_sid is submitted
Description	When session cookie usage is disable in config.inc.php using $this->blSessionUseCookies = false and production server is misconfigured (showing errors/warnings to users, instead of log) user can get a Warning. It is just a warning, shop functionality is not broken by this issue.
Steps To Reproduce	Disable cookie usage in config.inc.php $this->blSessionUseCookies = false; Try to Login with clean browser (no previous shop sessions or cookies) Warning: session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in .../core/oxconfig.php on line 902
Additional Information	Fixes can be applied to several places, oxconfig::getShopId() and oxsession::hiddenSid()
Tags	Cookies

Theme	Not defined
Browser	All
PHP Version	Not defined
Database Version	Not defined

martinwegele 2014-10-20 12:20 reporter ~0010252	reproduced on 5.1.6: $this->blSessionUseCookies = false in config.inc.php added an invalid parameter like % to force_sid in the URL -> PHP warning is displayed (or written to the log file)

QA 2018-12-05 14:57 administrator ~0012725	-MK