Advertisement:

Author Topic: session_start() errors made by guests  (Read 1239 times)

Offline Adrek

  • Sophist Member
  • *****
  • Posts: 1,084
  • Gender: Male
    • pages/smfpl/171860759503032 on Facebook
    • Adrek.pl
session_start() errors made by guests
« on: April 26, 2013, 04:43:29 AM »
Hi, today I saw in logs this:
Code: [Select]
http://szynszyle.info/forum/index.php?action=post;board=10.0+%5BPLM=0%5D%5BR%5D+GET+http://szynszyle.info/forum/index.php?action=register+%5B0,15253,15932%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register+%5B0,21501,7784%5D+-%3E+%5BR%5D+POST+http://szynszyle.info/forum/index.php?action=register2+%5B0,0,12314%5D+-%3E+%5BL%5D+GET+http://szynszyle.info/forum/index.php?action=login+%5B0,5886,9549%5D+-%3E+%5BL%5D+POST+http://szynszyle.info/forum/index.php?action=login2+%5B18440,0,9616%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?PHPSESSID=cc9a42fd87280fd19eefd4c85eb65c63&amp;board=10.0+%5B0,0,56724%5D+-%3E+%5BN%5D+GET+http://szynszyle.info/forum/index.php?action=post;board=10.0+%5B0,82441,2850%5D+-%3E+%5BN%5D+POST+http://szynszyle.info/forum/index.php?action=post2;start=0;board=10+%5B0,0,93864%5D+Result:+using+proxy+221.130.199.121:80;+chosen+nickname+%22jaeo%22;+captcha+recognized;+success;+BB-code+not+working;2: session_start() [<a href='function.session-start'>function.session-start</a>]: The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
File: /public_html/forum/Sources/Load.php
Line: 2402

Here's part of Load.php:
Code: [Select]
2382: }
2383:
2384: // Use database sessions? (they don't work in 4.1.x!)
2385: if (!empty($modSettings['databaseSession_enable']) && @version_compare(PHP_VERSION, '4.2.0') != -1)
2386: {
2387: session_set_save_handler('sessionOpen', 'sessionClose', 'sessionRead', 'sessionWrite', 'sessionDestroy', 'sessionGC');
2388: @ini_set('session.gc_probability', '1');
2389: }
2390: elseif (@ini_get('session.gc_maxlifetime') <= 1440 && !empty($modSettings['databaseSession_lifetime']))
2391: @ini_set('session.gc_maxlifetime', max($modSettings['databaseSession_lifetime'], 60));
2392:
2393: // Use cache setting sessions?
2394: if (empty($modSettings['databaseSession_enable']) && !empty($modSettings['cache_enable']) && php_sapi_name() != 'cli')
2395: {
2396: if (function_exists('mmcache_set_session_handlers'))
2397: mmcache_set_session_handlers();
2398: elseif (function_exists('eaccelerator_set_session_handlers'))
2399: eaccelerator_set_session_handlers();
2400: }
2401:
==>2402: session_start();
2403:
2404: // Change it so the cache settings are a little looser than default.
2405: if (!empty($modSettings['databaseSession_loose']))
2406: header('Cache-Control: private');
2407: }
2408:
2409: // While PHP 4.1.x should use $_SESSION, it seems to need this to do it right.
2410: if (@version_compare(PHP_VERSION, '4.2.0') == -1)
2411: $HTTP_SESSION_VARS['php_412_bugfix'] = true;
2412:
2413: // Set the randomly generated code.
2414: if (!isset($_SESSION['session_var']))
2415: {
2416: $_SESSION['session_value'] = md5(session_id() . mt_rand());
2417: $_SESSION['session_var'] = substr(preg_replace('~^\d+~', '', sha1(mt_rand() . session_id() . mt_rand())), 0, rand(7, 12));
2418: }
2419: $sc = $_SESSION['session_value'];
2420: }
2421:
2422: function sessionOpen($save_path, $session_name)

Forum version: 2.0.4
Installed mods:
SimplePortal 2.3.5,
Stop Forum Spam 1.0,
notCaptcha 1.06.

Board with ID 10 is board where guests can post new topics and reply to other topics.

What can cause this errors?
« Last Edit: April 26, 2013, 09:26:44 AM by phantomm »
Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 73,189
Re: session_start() errors made by guests
« Reply #1 on: April 26, 2013, 09:19:29 AM »
What log is that exactly?
No good deed goes unpunished
All helpful urges should be circumvented

Offline Adrek

  • Sophist Member
  • *****
  • Posts: 1,084
  • Gender: Male
    • pages/smfpl/171860759503032 on Facebook
    • Adrek.pl
Re: session_start() errors made by guests
« Reply #2 on: April 26, 2013, 09:24:37 AM »
SMF Error log
Polskie wsparcie SMF na simplemachines.org

the simplest solution is most likely the right one

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 73,189
Re: session_start() errors made by guests
« Reply #3 on: April 26, 2013, 09:26:36 AM »
That smells like a hack attempt. I don't think there's actually anything you can directly do about it - but I don't know why the guest user session isn't being properly validated elsewhere. (2.0.3 did change that, but it still should be validating it against the list of characters referred to)
No good deed goes unpunished
All helpful urges should be circumvented