config: Drupal 4.6.5 & 4.6.6, Apache 2, PHP 5.0.5, Fedora Core 4.

If the PHP session.auto_start setting is set to 1 (true), Drupal will not login the user in. See http://drupal.org/node/6696 for example. If a session is already active, the ini_set('session.save_handler', 'user'); in sites/default/settings.php fails with errors:

PHP Warning: ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time. in .../drupal-4.6.5/sites/default/settings.php on line 109
PHP Warning: ini_set() [function.ini-set]: A session is active. You cannot change the session module's ini settings at this time. in .../drupal-4.6.5/sites/default/settings.php on line 111
PHP Notice: A session had already been started - ignoring session_start() in .../drupal-4.6.5/includes/session.inc

Without the session.save_handler set to "user", the session_set_save_handler in includes/session.inc fails, which means none of the session handlers are set and the sessions table in the database isn't updated.

Whilst the .htaccess file is trying to set session.auto_start to 0, this didn't work on my system, nor will it work on systems running web servers other than Apache.

Drupal should at least check for this condition and report a meaningful error, or handle it gracefully. For example, the following modification to include/bootstrap.inc handles it (note: I'm not a PHP programmer and I haven't done huge amounts of testing on this so I'm not 100% sure this is OK).

function check_plain($text) {
return htmlspecialchars($text, ENT_QUOTES);
}

unset($conf);
$config = conf_init();

if (session_id() != "") {
session_destroy();
}

include_once "$config/settings.php";
include_once 'includes/database.inc';
include_once 'includes/session.inc';
include_once 'includes/module.inc';

Comments

Uwe Hermann’s picture

Is this still a problem in 4.7rc3?

markus_petrux’s picture

Version: 4.6.6 » x.y.z

session.auto_start is not compatible with custom session handlers, which is what Drupal does. ie. Drupal needs to install its own session handler before the session can be started.

I'm inclined to say won't fix, motsly because session.auto_start is Off by default. Maybe adding a note to remind this in the INSTALL.txt suffice?

Bearzilla’s picture

Even if the PHP default is for session.auto_start to be disabled, the default installation of Fedora Core 4 enables session.auto_start in the PHP.ini file. I haven't tried any other Red Hat based release so I'm not sure how wide spread this is. I really think this is something that needs to be addressed within Drupal itself for several reasons:

  • The user may not have access to change the PHP.ini file.
  • Changing session.auto_start to false may break other applications; it could have been turned on for a reason, which means the use is stuck with running one application or the other.
  • The fact that it didn't work out of the box and gave no useful error messages makes Drupal look really bad. I spent hours searching for the solution without luck and I'm a very experienced Unix sysadmin. I was just about to get rid of it, but decided to investigate a bit further. Judging from the number of entries in http://drupal.org/node/6696, this has been aroun for a while and has affected quite a few people. How many just gave up on Drupal because of it?
  • Just documenting the problem doesn't really help with the first two points, there needs to be a fix for it. At the very least, Drupal should detect this and put out a meaningful error.

magico’s picture

Following #2 this should be "won't fix". Anyway I would like to get some feedback from senior developers, please.

killes@www.drop.org’s picture

Status: Active » Closed (won't fix)

yep.