Phalcon v5 forces strict session ID syntax

[wurst-hans]

Really?

I'm going to upgrade my middleware and projects from v4 to v5 and have been looking for hours, why my custom session handler does not work anymore. It causes PHP to create a new session ID on every request.
My session handler uses Random to generate a UUID v4 to be used as session ID.

After hours I found out, that Phalcon session manager checks session cookie value with following regex /^[a-z0-9]+$/iD. That explains, why my UUID is being ignored. That's a pity.

It should not be your (i.e. Phalcons) task to decide if a session ID is valid. When implementing a custom session handler (like I did) one can implement the SessionIdInterface which provides not only the create_sid() method but also a validateId() method that can be used for validating session ID.

[niden]

@wurst-hans If possible can you post a sample handler? I want to use it to create a test for this.

• Moving this to an issue

[wurst-hans]

Sorry, can't post my real code here due to NDA. But it should be simple to extend your stream adapter, like:

use Phalcon\Encryption\Security\Random;

class Stream extends Noop implements \SessionHandlerInterface, \SessionIdInterface
{
    [...]

    public function create_sid(): string
    {
        return (new Random())->uuid();
    }

    public function validateId(string $session): bool
    {
        return (bool)preg_match('/^[\da-f]{8}-[\da-f]{4}-4[\da-f]{3}-[89ab][\da-f]{3}-[\da-f]{12}$/iu', $session);
    }
}

As workaround, I've extended Phalcons session manager now and overwrite start() method and commented out the regex check.

[niden]

This one is perfectly fine. Thanks. I will sort this out shortly.