Can someone explain if this is a correct behaviour from PHP, I was expecting session_start() to return false and to get a warning saying that session_name contains illegal characters.
Code to reproduce:
<?php
session_name('m m');
var_dump(session_start());
if(!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
}
else {
$_SESSION['count']++;
}
echo session_name();
echo $_SESSION['count'];
Run it once:
bool(true) m m0
reload page:
bool(true) m m0
Should have been (if session was working):
bool(true) m m1
session_start() returns true which indicates the session has started. The $_SESSION['count'] indicates that is does not work. There is no warning on illegal characters in the session name.
I can not find any hints on the manual page, nor a definition on what is valid characters for a session.
PHP generates something like this:
Set-Cookie: m+m=unttot9siteipcsrc0r064hn37; path=/
... and the browser (Firefox/23) sends this back:
Cookie: m+m=unttot9siteipcsrc0r064hn37
So far so good. But then PHP generates a new session ID:
Set-Cookie: m+m=7tmi7kd8n27ef3qdk5q706gk85; path=/
Is it a bug? I'd say it isn't since your session name is clearly invalid:
The session name references the name of the session, which is used in cookies and URLs (e.g. PHPSESSID). It should contain only alphanumeric characters; it should be short and descriptive (i.e. for users with enabled cookie warnings). If name is specified, the name of the current session is changed to its value.
Warning
The session name can't consist of digits only, at least one letter must be present. Otherwise a new session id is generated every time.
If you follow the rules it works as expected:
session_name('mxm');
To sum up:
Edit: Just noticed you say this:
I can not find any hints on the manual page, nor a definition on what is valid characters for a session.
I found that information right in the manual page for session_name().