Security: What could go wrong with users being able to name session variables?

Question

So, I just found some super disturbing code simultaneously in some classic ASP code, as well as some PHP.

Classic ASP:

Dim id
id = request.form("id")

Session(id) = id

PHP

$_SESSION[$_GET["id"]] = $_GET["id"];

So, what could go wrong here? Note, obviously I'll be removing these and using a better workflow.

EDIT: The obvious problems could be SQLi, XSS, overwriting existing and necessary session variables. I don't really know the inner workings of how these languages handle session variables though.

EDIT 2: I'm not really concerned with the values of the session variable as much as I'm concerned about being able to name them. Just curious if there's something crazy you could do with arbitrary variable names.

Answer 1

I can set any number of session variables - say a1 a2 a3 a4 and so on. Its kind of an attack vector right ? Memory attack..

If ever you use this session variables in mysql query - classic case of sql injection ( Not a big threat in this case as long as you have proper security )

As someone mentioned in the comment, if ever you are echoing the session variable , there is a possibility of XSS ( Cross site injection ) .

If you are using it in forms CSRF type attacks and a lot of things.

Why use $_SESSION[$GET['var']] when there are a million other possible stuff :-)