Advertisement:

Author Topic: session_start() errors made by guests  (Read 1214 times)

Offline phantomm

  • Sophist Member
  • *****
  • Posts: 1,064
  • Gender: Male
    • pages/smfpl/171860759503032 on Facebook
    • Polish ElkArte community
session_start() errors made by guests
« on: April 26, 2013, 04:43:29 AM »
Hi, today I saw in logs this:
Code: [Select]
http://szynszyle.info/forum/index.php?action=post;board=10.0+%5BPLM=0%5D%5BR%5D+GET+http://szynszyle.info/forum/index.php?action=register+%5B0,15253,15932%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register+%5B0,21501,7784%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register2+%5B0,0,12314%5D+-%3E+%5BL%5D+GET+http://szynszyle.info/forum/index.php?action=login+%5B0,5886,9549%5D+-%3E+%5BL%5D+POST+http://szynszyle.info/forum/index.php?action=login2+%5B18440,0,9616%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?PHPSESSID=cc9a42fd87280fd19eefd4c85eb65c63&amp;board=10.0+%5B0,0,56724%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?action=post;board=10.0+%5B0,82441,2850%5D+-%3E+%5BN%5D+POST+http://szynszyle.info/forum/index.php?action=post2;start=0;board=10+%5B0,0,93864%5D+Result:+using+proxy+221.130.199.121:80;+chosen+nickname+%22jaeo%22;+captcha+recognized;+success;+BB-code+not+working;2: session_start() [<a href='function.session-start'>function.session-start</a>]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
File: /public_html/forum/Sources/Load.php
Line: 2402

Here's part of Load.php:
Code: [Select]
2382: }
2383:
2384: // Use database sessions? (they don't work in 4.1.x!)
2385: if (!empty($modSettings['databaseSession_enable']) && @version_compare(PHP_VERSION, '4.2.0') != -1)
2386: {
2387: session_set_save_handler('sessionOpen', 'sessionClose', 'sessionRead', 'sessionWrite', 'sessionDestroy', 'sessionGC');
2388: @ini_set('session.gc_probability', '1');
2389: }
2390: elseif (@ini_get('session.gc_maxlifetime') <= 1440 && !empty($modSettings['databaseSession_lifetime']))
2391: @ini_set('session.gc_maxlifetime', max($modSettings['databaseSession_lifetime'], 60));
2392:
2393: // Use cache setting sessions?
2394: if (empty($modSettings['databaseSession_enable']) && !empty($modSettings['cache_enable']) && php_sapi_name() != 'cli')
2395: {
2396: if (function_exists('mmcache_set_session_handlers'))
2397: mmcache_set_session_handlers();
2398: elseif (function_exists('eaccelerator_set_session_handlers'))
2399: eaccelerator_set_session_handlers();
2400: }
2401:
==>2402: session_start();
2403:
2404: // Change it so the cache settings are a little looser than default.
2405: if (!empty($modSettings['databaseSession_loose']))
2406: header('Cache-Control: private');
2407: }
2408:
2409: // While PHP 4.1.x should use $_SESSION, it seems to need this to do it right.
2410: if (@version_compare(PHP_VERSION, '4.2.0') == -1)
2411: $HTTP_SESSION_VARS['php_412_bugfix'] = true;
2412:
2413: // Set the randomly generated code.
2414: if (!isset($_SESSION['session_var']))
2415: {
2416: $_SESSION['session_value'] = md5(session_id() . mt_rand());
2417: $_SESSION['session_var'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
2418: }
2419: $sc = $_SESSION['session_value'];
2420: }
2421:
2422: function sessionOpen($save_path, $session_name)

Forum version: 2.0.4
Installed mods:
SimplePortal 2.3.5,
Stop Forum Spam 1.0,
notCaptcha 1.06.

Board with ID 10 is board where guests can post new topics and reply to other topics.

What can cause this errors?
« Last Edit: April 26, 2013, 09:26:44 AM by phantomm »
Polskie wsparcie SMF na simplemachines.org

My mods

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,605
    • StoryBB/StoryBB on GitHub
Re: session_start() errors made by guests
« Reply #1 on: April 26, 2013, 09:19:29 AM »
What log is that exactly?
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline phantomm

  • Sophist Member
  • *****
  • Posts: 1,064
  • Gender: Male
    • pages/smfpl/171860759503032 on Facebook
    • Polish ElkArte community
Re: session_start() errors made by guests
« Reply #2 on: April 26, 2013, 09:24:37 AM »
SMF Error log
Polskie wsparcie SMF na simplemachines.org

My mods

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,605
    • StoryBB/StoryBB on GitHub
Re: session_start() errors made by guests
« Reply #3 on: April 26, 2013, 09:26:36 AM »
That smells like a hack attempt. I don't think there's actually anything you can directly do about it - but I don't know why the guest user session isn't being properly validated elsewhere. (2.0.3 did change that, but it still should be validating it against the list of characters referred to)
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.