Strange session error in IE (and only sometimes)

Hi,

I am getting the following session error:
Warning: session_start(): The session id contains invalid characters, valid characters are only a-z, A-Z and 0-9 in http://www.yadayada.com/fdfd
on line ##

The above mentioned error ONLY seems to be occurring in IE, and only sometimes. I can't recreate it on my IE at all, but somebody else I know is getting it when they visit the site in question. Even on their version of IE in a totally new (unrelated) IE browser window it doesn't always occur.

I haven't seen the error occur in anything other than IE (which doesn't mean it doesn't happen in a different browser).

Anyone know what may be causing it, keeping in mind the sporadic nature of it.

 

Set up cookie logging (either with %C or with CookieLog) and see what was actually passed as PHPSESSID in those requests that fail.

J.D.

 

Hi JD,

Thanks for the reply, how can I do that/where can I do that?

I also know for a fact the person wasn't plaiying around with teh session ID characters, wouldn't you assume PHP WOULD generate correct/valid IDs?

 

Search for %...{Foobar}C on this page:

http://httpd.apache.org/docs-2.0/mod/mod_log_config.html

Just keep in mind that while this is turned on, your web log analysis tool may not work properly. This is where CookieLog may come in handy.

You have to have access to your main server config for any of this, though. If you can't modify httpd.conf, you might want to do something on your own on the trouble page (i.e. log somehow $_COOKIE["PHPSESSID"]).

Finally, you can use mod_rewrite to stick PHPSESSID to the URL line, so that it would get logged (again, your stats for this day will be screwed up) and you'd be able to see it.

J.D.

 

Can I clarify for eg the below (which I am just typing in, not copying)
balahblah.php?sess=FDFR4343FDFD32DdS
sess = session name and FDFR4343FDFD32DdS is the session ID (in this case the problematic thing? Is that correct?)

If so, another way I guess I could get it is to ask my friend to email me the sesison ID as displayed in their IE browser's address bar at time the problem occurs..correct?

However how can such an error be browser related? Wouldn't one expect the problem to occur in all browsers if it was to occur in one browser?

 

PHP session cookie looks like this:

PHPSESSID=a63511378fac3c12380ae4acec6feff1

You error message indicates that the session ID can contain characters a-z, but as far as I can see, it's a hexadecimal string, which means that there may be only letters a-f and digits. Anyway, if you see anything that resembles binary data (ether encoded or output directly), this will be your first step in determining what's going on.

It's a cookie, you don't really see it in the browser, unless you go to the temp file folder. In this case, PHPSESSID are session cookies and are not stored on the hard drive (you can see them in FF, but I don't think there's a way to see this in IE).

Gotta see the session ID cookie first!

You other option would be to set up a network sniffer on your side or a web proxy on your friend's side. In this case you would just log all traffic and as soon as you get the error, you will just have to see the sniffer/proxy logs and it all will be there.

J.D.

 

Thanks JD, but SOMETIMES the PHPSESSID=a63511378fac3c12380ae4acec6feff1 displays in the URL string doesn't it, or is that something else? And the problem lies in the
a63511378fac3c12380ae4acec6feff1 part of not being a-zA-Z0-9, is that what the above mentioned error indicates?

BTW, it isn't called PHPSESSID on my site. Just to clarify is that the session name, where a63511378fac3c12380ae4acec6feff1 is the session ID? I just want to make sure I got my terms correct too.

BTW, how can I find the log files that you mentiod earlier? Do I need SSH or some such? I am not very familiar with Putty and how to use it.

 

You can use SID to pass session ID in the URL. It is not secure though. For example:

<a href="page.php?<?= SID ?>">link</a>

Echo SID variable to see what's your session is like:

<?= SID ?>

The name can be changed using session.name. May be your hosting company set it up differently.

It has to be set up by whoever controls your main server configuration file. If you control the whole server, you can change /usr/local/apache2/conf/httpd.conf to include CookieLog (it's not turned on by default).

J.D.

 

Thanks JD for all your help. Worked out what the problem was - got my friend to email me the URL string from the browser window to see what it was when the error occured, and it looked along these lines:
http://www.yadada.com/?PHPSESSID=a63511378fac3c12380ae4acec6feff1?PHPSESSID
Note the double session ID name.

It only occured in one spot on the site so was easy to track and fix it.

However I still am baffled as to why that error never occurred on my PC on my FF or IE browser when doing the exact same thing as my friend.

Cheers mate!