Fix GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method

Girgias · Girgias · commit 8b115254c0b0 · 2022-09-27T15:52:21.000+01:00
diff --git a/NEWS b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2022, PHP 8.0.25
 
+- Session:
+  . Fixed bug GH-9583 (session_create_id() fails with user defined save handler
+    that doesn't have a validateId() method). (Girgias)
+
 29 Sep 2022, PHP 8.0.24
 
 - Core:
diff --git a/ext/session/session.c b/ext/session/session.c
@@ -1083,8 +1083,9 @@ PHPAPI int php_session_register_module(const ps_module *ptr) /* {{{ */
 /* }}} */
 
 /* Dummy PS module function */
+/* We consider any ID valid, so we return FAILURE to indicate that a session doesn't exist */
 PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {
-	return SUCCESS;
+	return FAILURE;
 }
 
 /* Dummy PS module function */
diff --git a/ext/session/tests/gh9583.phpt b/ext/session/tests/gh9583.phpt
@@ -0,0 +1,45 @@
+--TEST--
+GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+class SessionHandlerTester implements \SessionHandlerInterface
+{
+
+    public function close(): bool { return true; }
+
+    public function destroy($id): bool { return true; }
+
+    public function gc($max_lifetime): int|false { return 1; }
+
+    public function open($path, $name): bool { return true; }
+
+    public function read($id): string { return ''; }
+
+    public function write($id, $data): bool { return true; }
+
+    //public function create_sid() { return uniqid(); }
+
+    //public function validateId($key) { return true; }
+}
+
+$obj = new SessionHandlerTester();
+ini_set('session.use_strict_mode','1');
+session_set_save_handler($obj);
+session_start();
+
+echo "\nvalidateId() ".(method_exists($obj,'validateId')?('returns '.($obj->validateId(1)?'true':'false')):'is commented out');
+echo "\n";
+$sessionId = session_create_id();
+echo "\nSession ID:".$sessionId;
+echo "\n";
+
+?>
+--EXPECTF--
+validateId() is commented out
+
+Session ID:%s

Original file line number	Diff line number	Diff line change
`@@ -1083,8 +1083,9 @@ PHPAPI int php_session_register_module(const ps_module ptr) / {{{ */`
`1083`	`1083`	`/* }}} */`
`1084`	`1084`
`1085`	`1085`	`/* Dummy PS module function */`
	`1086`	`+/* We consider any ID valid, so we return FAILURE to indicate that a session doesn't exist */`
`1086`	`1087`	`PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {`
`1087`		`- return SUCCESS;`
	`1088`	`+ return FAILURE;`
`1088`	`1089`	`}`
`1089`	`1090`
`1090`	`1091`	`/* Dummy PS module function */`