I'm trying to check the value of the PHPSESSID before session_start()
is called. I don't like messages like these. session_start(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,' in
Illegal characters can be filtered by a simple regex preg_replace("/[^a-zA-Z0-9]/", "", $input_lines);
But how do I check the max length? On my local XAMPP installation, I get a 26 character PHPSESSID, but on the deployment server I'm getting a 32 characters PHPSESSID.
The PHP manual is only saying something about the allowed characters, but noting about the length.
Depending on the session handler, not all characters are allowed within the session id. For example, the file session handler only allows characters in the range a-z A-Z 0-9 , (comma) and - (minus)!
EDIT The big issue in this case is that this throws a warning, even with error_reporting disabled. The error also throws out the path of the file location. And that is unwanted!