Validating default PHP session ID values

Written by Rob Allen / Original link on Feb. 13, 2020

I recently needed to validate the value created by PHP for its session ID. After a bit of research, I realised that there are two interesting php.ini config settings that relate to this value:

Therefore, to validate the session ID we need to create a regular expression that looks for the correct set of characters of the expected length.

I wrote function to do this:

function isValidSessionId(string $sessionId): bool
    $sidLength = ini_get('session.sid_length');

    switch (ini_get('session.sid_bits_per_character')) {
        case 6:
            $characterClass = '0-9a-zA-z,-';
        case 5:
            $characterClass = '0-9a-v';
        case 4:
            $characterClass = '0-9a-f';
            throw new \RuntimeException('Unknown value in session.sid_bits_per_character.');
    $pattern = '/^[' . $characterClass . ']{' . $sidLength . '}$/';

    return preg_match($pattern, $sessionId) === 1;

You could use it like this:

$name = session_name();
if (isset($_COOKIE[$name])) {
    if (!isValidSessionId($_COOKIE[$name])) {
        // invalid - return an error, just send back a 500 or something

As far as I can tell, we can't use session_id() as we haven't started the session yet, however as the session is just a cookie at the HTTP level, we can use $_COOKIE instead.

Note also that the manual has an excellent section on Sessions and Security which is worth reading.

roballen roballen

« SymfonyConnect adds new badges for Sylius and API Platform - ★ laravel-event-sourcing v3 has been released »