AKRABAT

I recently needed to validate the value created by PHP for its session ID. After a bit of research, I realised that there are two interesting php.ini config settings that relate to this value:

• session.sid_length is the number of characters in the ID
• session.sid_bits_per_character controls the set of characters used. From the manual:
  

  The possible values are ‘4’ (0-9, a-f), ‘5’ (0-9, a-v), and ‘6’ (0-9, a-z, A-Z, “-“, “,”).

Therefore, to validate the session ID we need to create a regular expression that looks for the correct set of characters of the expected length.

I wrote function to do this:

function isValidSessionId(string $sessionId): bool
{
    $sidLength = ini_get('session.sid_length');

    switch (ini_get('session.sid_bits_per_character')) {
        case 6:
            $characterClass = '0-9a-zA-z,-';
            break;
        case 5:
            $characterClass = '0-9a-z';
            break;
        case 4:
            $characterClass = '0-9a-f';
            break;
        default:
            throw new RuntimeException('Unknown value in session.sid_bits_per_character.');
    }
    $pattern = '/^[' . $characterClass . ']{' . $sidLength . '}$/';

    return preg_match($pattern, $sessionId) === 1;
}

You could use it like this:

$name = session_name();
if (isset($_COOKIE[$name])) {
    if (!isValidSessionId($_COOKIE[$name])) {
        // invalid - return an error, just send back a 500 or something
        exit;
    }
}

As far as I can tell, we can’t use session_id() as we haven’t started the session yet, however as the session is just a cookie at the HTTP level, we can use $_COOKIE instead.

Note also that the manual has an excellent section on Sessions and Security which is worth reading.

Source: AKRABAT