Possible unescaped special chars in session name and bug after PHP patch #79699

[rarog]

Bug Report

Q	A
Version(s)	2.9.3

Summary

After the patch https://bugs.php.net/bug.php?id=79699 certain session names are buggy and won't work anymore.

Current behavior

The generated cookie name doesn't necessarily match the internal session name which is a problem after the php patch.

How to reproduce

1. Install the latest PHP featuring above bugfix.
2. Set up the session for example like this:

    'session_config' => [
        'name' => 'my:session',
    ],

3. The generated cookie name is my%3Asession but the module still expects to get a cookie for my:session, which it won't get with the security patch.

Expected behavior

Special characters like : should also be escaped during initalisation, so the cookie name and session name match.

[rarog]

According to https://curl.haxx.se/rfc/cookie_spec.html the escaped or forbidden characters should be :, ,, (whitespace) and probably =

[thisispiers]

\Laminas\Session\SessionManager::setName() throws an exception for non-alphanumeric characters in the session name. See

laminas-session/src/SessionManager.php

Line 266 in 9c845a0

'Name provided contains invalid characters; must be alphanumeric only'

This issue can marked as closed.