Jaffer
Reputation: 2968
Checking Client provided Php SID is valid or not?
For session handling i am using mysql instead of default php file based handling.
so before reading session info from db, i wanted to verify client provided session id is valid, i wrote a function and it looks working for now, but still wanted to check with you masters about it
private function validSID($id) {
return !empty($id) && preg_match('/^[a-zA-Z0-9,-]{26,40}$/', $id);
}
Thanks Guys
EDIT: i did modification as you guys suggested, shown below
private function validSID($id) {
//make sure the length is 22
//things are based on session.hash_bits_per_character = 6
return preg_match('/^[a-zA-Z0-9,-]{22}$/', $id);
}
Upvotes: 0
Views: 132
Answers (1)
Marc B
Reputation: 360732
You're checking for valid digits, but completely ignoring the fact that PHP's session IDs are a fixed length based on various .ini parameters. You should tailors your check so that any ID string which does NOT match php's current settings should be rejected, e.g. there's hash_bits_per_character amongst others.
Upvotes: 1
Related Questions
- php session.use_trans_sid
- Check if session id is in this code
- PHP Session SID URL - url does not have SID
- Check if php session string is valid and exists
- Handle Invalid Session Id
- Is it possible to load session by SID in php?
- Checking if session id ISSET in PDO
- What's dangerous about echoing the SID
- Sessions without passing SID - is it reliable?
- Check if PHP session_id is in use