adjust session ID check to specification

The documentation says sessionIDs are between 22 and 256 chars long. A quick test only showed 26 chars in common configurations, but this should cover all possibilities.

adjust session ID check to specification
The documentation says sessionIDs are between 22 and 256 chars long. A quick test only showed 26 chars in common configurations, but this should cover all possibilities.
924e477e · Andreas Gohr · Andreas Gohr · 6eb3cdf6 · 924e477e
Commit 924e477e authored 8 years ago by Andreas Gohr Committed by Andreas Gohr 8 years ago
--- a/inc/init.php
+++ b/inc/init.php
@@ -232,6 +232,7 @@ mail_setup();
 * Makes sure the passed session cookie is valid, invalid ones are ignored an a new session ID is issued
 *
 * @link http://stackoverflow.com/a/33024310/172068
+ * @link http://php.net/manual/en/session.configuration.php#ini.session.sid-length
 */
 function init_session() {
    global $conf;
@@ -239,7 +240,7 @@ function init_session() {
    session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true);

    // make sure the session cookie contains a valid session ID
-    if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[DOKU_SESSION_NAME])) {
+    if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{22,256}$/', $_COOKIE[DOKU_SESSION_NAME])) {
        unset($_COOKIE[DOKU_SESSION_NAME]);
    }