I have this function:
public static function sessionStart()
{
try {
if (ini_get('session.use_cookies') && isset($_COOKIE['PHPSESSID'])) {
$sessid = $_COOKIE['PHPSESSID'];
} elseif (!ini_get('session.use_only_cookies') && isset($_GET['PHPSESSID'])) {
$sessid = $_GET['PHPSESSID'];
} else {
session_start();
return false;
}
if (preg_match('/[^a-zA-Z0-9\-]{32}/i', $sessid)) {
return false;
}
session_start();
return true;
} catch (Exception $ex) {
return false;
}
}
However, in some cases, session_start still throws a warning. How could I validate the session id so I will never get warnings? The problem started to creep in when I changed PHP version from 5.3 to 5.6.
Warning:
The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
One solution is to use the PHP error control operator:
@session_start();
If you want to validate that it started properly, just return the bool from that:
return @session_start();
(As stated in the documentation:)
This function returns TRUE if a session was successfully started, otherwise FALSE.
It also appears that your function checking for regex is also incorrect, I've updated it below:
!preg_match('/^[a-z0-9\-]{32}$/i', $sess)
You can see the results here.