News:

Want to get involved in developing SMF, then why not lend a hand on our github!

Main Menu

session_start() errors made by guests

Started by Adrek, April 26, 2013, 04:43:29 AM

Previous topic - Next topic

Adrek

Hi, today I saw in logs this:

http://szynszyle.info/forum/index.php?action=post;board=10.0+%5BPLM=0%5D%5BR%5D+GET+http://szynszyle.info/forum/index.php?action=register+%5B0,15253,15932%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register+%5B0,21501,7784%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register2+%5B0,0,12314%5D+-%3E+%5BL%5D+GET+http://szynszyle.info/forum/index.php?action=login+%5B0,5886,9549%5D+-%3E+%5BL%5D+POST+http://szynszyle.info/forum/index.php?action=login2+%5B18440,0,9616%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?PHPSESSID=cc9a42fd87280fd19eefd4c85eb65c63&amp;board=10.0+%5B0,0,56724%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?action=post;board=10.0+%5B0,82441,2850%5D+-%3E+%5BN%5D+POST+http://szynszyle.info/forum/index.php?action=post2;start=0;board=10+%5B0,0,93864%5D+Result:+using+proxy+221.130.199.121:80;+chosen+nickname+%22jaeo%22;+captcha+recognized;+success;+BB-code+not+working;2: session_start() [<a href='function.session-start'>function.session-start</a>]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
File: /public_html/forum/Sources/Load.php
Line: 2402


Here's part of Load.php:

2382: }
2383:
2384: // Use database sessions? (they don't work in 4.1.x!)
2385: if (!empty($modSettings['databaseSession_enable']) && @version_compare(PHP_VERSION, '4.2.0') != -1)
2386: {
2387: session_set_save_handler('sessionOpen', 'sessionClose', 'sessionRead', 'sessionWrite', 'sessionDestroy', 'sessionGC');
2388: @ini_set('session.gc_probability', '1');
2389: }
2390: elseif (@ini_get('session.gc_maxlifetime') <= 1440 && !empty($modSettings['databaseSession_lifetime']))
2391: @ini_set('session.gc_maxlifetime', max($modSettings['databaseSession_lifetime'], 60));
2392:
2393: // Use cache setting sessions?
2394: if (empty($modSettings['databaseSession_enable']) && !empty($modSettings['cache_enable']) && php_sapi_name() != 'cli')
2395: {
2396: if (function_exists('mmcache_set_session_handlers'))
2397: mmcache_set_session_handlers();
2398: elseif (function_exists('eaccelerator_set_session_handlers'))
2399: eaccelerator_set_session_handlers();
2400: }
2401:
==>2402: session_start();
2403:
2404: // Change it so the cache settings are a little looser than default.
2405: if (!empty($modSettings['databaseSession_loose']))
2406: header('Cache-Control: private');
2407: }
2408:
2409: // While PHP 4.1.x should use $_SESSION, it seems to need this to do it right.
2410: if (@version_compare(PHP_VERSION, '4.2.0') == -1)
2411: $HTTP_SESSION_VARS['php_412_bugfix'] = true;
2412:
2413: // Set the randomly generated code.
2414: if (!isset($_SESSION['session_var']))
2415: {
2416: $_SESSION['session_value'] = md5(session_id() . mt_rand());
2417: $_SESSION['session_var'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
2418: }
2419: $sc = $_SESSION['session_value'];
2420: }
2421:
2422: function sessionOpen($save_path, $session_name)


Forum version: 2.0.4
Installed mods:
SimplePortal 2.3.5,
Stop Forum Spam 1.0,
notCaptcha 1.06.

Board with ID 10 is board where guests can post new topics and reply to other topics.

What can cause this errors?
Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Arantor


Adrek

Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Arantor

That smells like a hack attempt. I don't think there's actually anything you can directly do about it - but I don't know why the guest user session isn't being properly validated elsewhere. (2.0.3 did change that, but it still should be validating it against the list of characters referred to)

Advertisement: