CVE-2024-55603: Custom Session Handler Missing Expiration Check
A custom session handler implements the `read` method using database queries without checking the session's expiration time. PHP's internal garbage collection (`gc`) is only called probabilistically based on `session.gc_probability` and `session.gc_divisor`. Consequently, expired sessions remain in the data store for an unpredictable amount of time, allowing
PHPβgreprules fetch cve-2024-55603-custom-session-handler-missing-expiration-check --engine opengrepDescription
A custom session handler implements the `read` method using database queries without checking the session's expiration time. PHP's internal garbage collection (`gc`) is only called probabilistically based on `session.gc_probability` and `session.gc_divisor`. Consequently, expired sessions remain in the data store for an unpredictable amount of time, allowing
Community feedback
0 signals from signed-in users.
- Useful
- 0
- False positive
- 0
- Metadata
- 0