The PHP docs on session_name()
say:
It should contain only alphanumeric characters; it should be short and descriptive (i.e. for users with enabled cookie warnings). ... The session name can't consist of digits only, at least one letter must be present. Otherwise a new session id is generated every time.
So it's clear you must have something non-numeric in there, but it's not quite clear what characters you can't have. The cookie spec itself denies ()<>@,;:\"/[]?={}
, but that still leaves others that might be permitted but are not strictly alphanumeric. This is important because cookie security prefixes use -
and _
in names like __Secure-PHPSESSID
. So I had a rummage in the PHP source code at the session_name function – but I can't see that it does anything other than check it's a string. In practice, it works fine, but I'd be more comfortable knowing precisely why! For example, this works:
session_name('__Secure-PHPSESSID');
session_start();
$_SESSION['test'] = $_SESSION['test'] . "\n" . rand(0,100);
var_dump($_SESSION);
So what are the actual limits on PHP session names?
-
and_
, so I want to know exactly what the constraints are, not just what the docs say, as these are evidently not necessarily the same thing.