Using pipe character in session variable key causes session data to be removed

[mintopia]

Description

If data is added to $_SESSION with a key containining the pipe character (|) then all session data is removed when the session is saved.

<?php
session_start();
$_SESSION['foo|bar'] = 'value';

This also affects explicitly saving the session using session_write_close() as well as during request shutdown.

On a subsequent request, the $_SESSION variable will be empty, when the expectation is for it to contain the data.

The reason for this is that the pipe character is defined as a delimiter in session files between the key and the serialized value; and session.c explicitly causes an empty session to be written if the delimiter is used as a key.

This should probably throw a warning for the user to inform them that the session data has not been written, similar to when you try and use an invalid session save handler or it's unable to write the session file.

PHP Version

PHP 8.4.7 (cli) (built: May  6 2025 12:31:58) (NTS)
Copyright (c) The PHP Group
Built by Homebrew
Zend Engine v4.4.7, Copyright (c) Zend Technologies
    with Xdebug v3.4.2, Copyright (c) 2002-2025, by Derick Rethans
    with Zend OPcache v8.4.7, Copyright (c), by Zend Technologies

Operating System

No response

[nielsdos]

In an ideal world we change the encoding format of sessions, but that's a BC break and may require internals approval.
The solution of emitting a warning that you propose in the linked commit seems reasonable. Feel free to open a PR for that!