From 8b115254c0b0d8aee80b99cb08992dc97cc3f8bc Mon Sep 17 00:00:00 2001
From: George Peter Banyard <girgias@php.net>
Date: Sat, 24 Sep 2022 12:05:50 +0100
Subject: [PATCH] Fix GH-9583: session_create_id() fails with user defined save
 handler that doesn't have a validateId() method

---
 NEWS                          |  4 ++++
 ext/session/session.c         |  3 ++-
 ext/session/tests/gh9583.phpt | 45 +++++++++++++++++++++++++++++++++++
 3 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 ext/session/tests/gh9583.phpt

diff --git a/NEWS b/NEWS
index 2b1107734a4..44c45bb5f5a 100644
--- a/NEWS
+++ b/NEWS
@@ -2,6 +2,10 @@ PHP                                                                        NEWS
 |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 ?? ??? 2022, PHP 8.0.25
 
+- Session:
+  . Fixed bug GH-9583 (session_create_id() fails with user defined save handler
+    that doesn't have a validateId() method). (Girgias)
+
 29 Sep 2022, PHP 8.0.24
 
 - Core:
diff --git a/ext/session/session.c b/ext/session/session.c
index 01e6a8fd30b..fe39381950b 100644
--- a/ext/session/session.c
+++ b/ext/session/session.c
@@ -1083,8 +1083,9 @@ PHPAPI int php_session_register_module(const ps_module *ptr) /* {{{ */
 /* }}} */
 
 /* Dummy PS module function */
+/* We consider any ID valid, so we return FAILURE to indicate that a session doesn't exist */
 PHPAPI int php_session_validate_sid(PS_VALIDATE_SID_ARGS) {
-	return SUCCESS;
+	return FAILURE;
 }
 
 /* Dummy PS module function */
diff --git a/ext/session/tests/gh9583.phpt b/ext/session/tests/gh9583.phpt
new file mode 100644
index 00000000000..2c2af24b5c1
--- /dev/null
+++ b/ext/session/tests/gh9583.phpt
@@ -0,0 +1,45 @@
+--TEST--
+GH-9583: session_create_id() fails with user defined save handler that doesn't have a validateId() method
+--EXTENSIONS--
+session
+--SKIPIF--
+<?php include('skipif.inc'); ?>
+--FILE--
+<?php
+
+class SessionHandlerTester implements \SessionHandlerInterface
+{
+
+    public function close(): bool { return true; }
+
+    public function destroy($id): bool { return true; }
+
+    public function gc($max_lifetime): int|false { return 1; }
+
+    public function open($path, $name): bool { return true; }
+
+    public function read($id): string { return ''; }
+
+    public function write($id, $data): bool { return true; }
+
+    //public function create_sid() { return uniqid(); }
+
+    //public function validateId($key) { return true; }
+}
+
+$obj = new SessionHandlerTester();
+ini_set('session.use_strict_mode','1');
+session_set_save_handler($obj);
+session_start();
+
+echo "\nvalidateId() ".(method_exists($obj,'validateId')?('returns '.($obj->validateId(1)?'true':'false')):'is commented out');
+echo "\n";
+$sessionId = session_create_id();
+echo "\nSession ID:".$sessionId;
+echo "\n";
+
+?>
+--EXPECTF--
+validateId() is commented out
+
+Session ID:%s