Description
Description
If data is added to $_SESSION with a key containining the pipe character (|) then all session data is removed when the session is saved.
<?php
session_start();
$_SESSION['foo|bar'] = 'value';This also affects explicitly saving the session using session_write_close() as well as during request shutdown.
On a subsequent request, the $_SESSION variable will be empty, when the expectation is for it to contain the data.
The reason for this is that the pipe character is defined as a delimiter in session files between the key and the serialized value; and session.c explicitly causes an empty session to be written if the delimiter is used as a key.
This should probably throw a warning for the user to inform them that the session data has not been written, similar to when you try and use an invalid session save handler or it's unable to write the session file.
PHP Version
PHP 8.4.7 (cli) (built: May 6 2025 12:31:58) (NTS)
Copyright (c) The PHP Group
Built by Homebrew
Zend Engine v4.4.7, Copyright (c) Zend Technologies
with Xdebug v3.4.2, Copyright (c) 2002-2025, by Derick Rethans
with Zend OPcache v8.4.7, Copyright (c), by Zend Technologies
Operating System
No response