From 924e477e18a8bef615c98bea5344d1b1b8054df7 Mon Sep 17 00:00:00 2001
From: Andreas Gohr <gohr@cosmocode.de>
Date: Wed, 1 Mar 2017 10:03:11 +0100
Subject: [PATCH] adjust session ID check to specification

The documentation says sessionIDs are between 22 and 256 chars long. A
quick test only showed 26 chars in common configurations, but this
should cover all possibilities.
---
 inc/init.php | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/inc/init.php b/inc/init.php
index 3ea7df210..5317c25ad 100644
--- a/inc/init.php
+++ b/inc/init.php
@@ -232,6 +232,7 @@ mail_setup();
  * Makes sure the passed session cookie is valid, invalid ones are ignored an a new session ID is issued
  *
  * @link http://stackoverflow.com/a/33024310/172068
+ * @link http://php.net/manual/en/session.configuration.php#ini.session.sid-length
  */
 function init_session() {
     global $conf;
@@ -239,7 +240,7 @@ function init_session() {
     session_set_cookie_params(DOKU_SESSION_LIFETIME, DOKU_SESSION_PATH, DOKU_SESSION_DOMAIN, ($conf['securecookie'] && is_ssl()), true);
 
     // make sure the session cookie contains a valid session ID
-    if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{1,128}$/', $_COOKIE[DOKU_SESSION_NAME])) {
+    if(isset($_COOKIE[DOKU_SESSION_NAME]) && !preg_match('/^[-,a-zA-Z0-9]{22,256}$/', $_COOKIE[DOKU_SESSION_NAME])) {
         unset($_COOKIE[DOKU_SESSION_NAME]);
     }