config: Drupal 4.6.5 & 4.6.6, Apache 2, PHP 5.0.5, Fedora Core 4.
If the PHP session.auto_start setting is set to 1 (true), Drupal will not login the user in. See http://drupal.org/node/6696 for example. If a session is already active, the ini_set('session.save_handler', 'user'); in sites/default/settings.php fails with errors:
PHP Warning: ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time. in .../drupal-4.6.5/sites/default/settings.php on line 109
PHP Warning: ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time. in .../drupal-4.6.5/sites/default/settings.php on line 111
PHP Notice: A session had already been started - ignoring session_start() in .../drupal-4.6.5/includes/session.inc
Without the session.save_handler set to "user", the session_set_save_handler in includes/session.inc fails, which means none of the session handlers are set and the sessions table in the database isn't updated.
Whilst the .htaccess file is trying to set session.auto_start to 0, this didn't work on my system, nor will it work on systems running web servers other than Apache.
Drupal should at least check for this condition and report a meaningful error, or handle it gracefully. For example, the following modification to include/bootstrap.inc handles it (note: I'm not a PHP programmer and I haven't done huge amounts of testing on this so I'm not 100% sure this is OK).
function check_plain($text) {
return htmlspecialchars($text, ENT_QUOTES);
}
unset($conf);
$config = conf_init();
if (session_id() != "") {
session_destroy();
}
include_once "$config/settings.php";
include_once 'includes/database.inc';
include_once 'includes/session.inc';
include_once 'includes/module.inc';
Comments
Comment #1
Uwe Hermann CreditAttribution: Uwe Hermann commentedIs this still a problem in 4.7rc3?
Comment #2
markus_petrux CreditAttribution: markus_petrux commentedsession.auto_start is not compatible with custom session handlers, which is what Drupal does. ie. Drupal needs to install its own session handler before the session can be started.
I'm inclined to say won't fix, motsly because session.auto_start is Off by default. Maybe adding a note to remind this in the INSTALL.txt suffice?
Comment #3
Bearzilla CreditAttribution: Bearzilla commentedEven if the PHP default is for session.auto_start to be disabled, the default installation of Fedora Core 4 enables session.auto_start in the PHP.ini file. I haven't tried any other Red Hat based release so I'm not sure how wide spread this is. I really think this is something that needs to be addressed within Drupal itself for several reasons:
Just documenting the problem doesn't really help with the first two points, there needs to be a fix for it. At the very least, Drupal should detect this and put out a meaningful error.
Comment #4
magico CreditAttribution: magico commentedFollowing #2 this should be "won't fix". Anyway I would like to get some feedback from senior developers, please.
Comment #5
killes@www.drop.org CreditAttribution: killes@www.drop.org commentedyep.