diff --git a/core/includes/common.inc b/core/includes/common.inc index 88d6fd3..17470f9 100644 --- a/core/includes/common.inc +++ b/core/includes/common.inc @@ -2087,7 +2087,7 @@ function url($path = NULL, array $options = array()) { if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']); } - if (isset($options['https']) && variable_get('https', FALSE)) { + if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) { if ($options['https'] === TRUE) { $path = str_replace('http://', 'https://', $path); } @@ -2103,7 +2103,7 @@ function url($path = NULL, array $options = array()) { // The base_url might be rewritten from the language rewrite in domain mode. if (!isset($options['base_url'])) { - if (isset($options['https']) && variable_get('https', FALSE)) { + if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) { if ($options['https'] === TRUE) { $options['base_url'] = $base_secure_url; $options['absolute'] = TRUE; diff --git a/core/includes/form.inc b/core/includes/form.inc index 3ebaca1..9710e02 100644 --- a/core/includes/form.inc +++ b/core/includes/form.inc @@ -1839,7 +1839,7 @@ function form_builder($form_id, &$element, &$form_state) { // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { - if (!empty($element['#https']) && variable_get('https', FALSE) && + if (!empty($element['#https']) && settings()->get('mixed_mode_sessions', FALSE) && !url_is_external($element['#action'])) { global $base_root; diff --git a/core/includes/session.inc b/core/includes/session.inc index 31e67a6..beb5659 100644 --- a/core/includes/session.inc +++ b/core/includes/session.inc @@ -188,14 +188,14 @@ function _drupal_session_write($sid, $value) { // The "secure pages" setting allows a site to simultaneously use both // secure and insecure session cookies. If enabled and both cookies are // presented then use both keys. - if (variable_get('https', FALSE)) { + if (settings()->get('mixed_mode_sessions', FALSE)) { $insecure_session_name = substr(session_name(), 1); if (isset($_COOKIE[$insecure_session_name])) { $key['sid'] = $_COOKIE[$insecure_session_name]; } } } - elseif (variable_get('https', FALSE)) { + elseif (settings()->get('mixed_mode_sessions', FALSE)) { unset($key['ssid']); } @@ -239,7 +239,7 @@ function drupal_session_initialize() { // We use !empty() in the following check to ensure that blank session IDs // are not valid. - if (!empty($_COOKIE[session_name()]) || ($is_https && variable_get('https', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) { + if (!empty($_COOKIE[session_name()]) || ($is_https && settings()->get('mixed_mode_sessions', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) { // If a session cookie exists, initialize the session. Otherwise the // session is only started on demand in drupal_session_commit(), making // anonymous users not use a session cookie unless something is stored in @@ -260,7 +260,7 @@ function drupal_session_initialize() { // anonymous users than are generated in drupal_session_regenerate() when // a user becomes authenticated. session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE))); - if ($is_https && variable_get('https', FALSE)) { + if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) { $insecure_session_name = substr(session_name(), 1); $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE)); $_COOKIE[$insecure_session_name] = $session_id; @@ -315,7 +315,7 @@ function drupal_session_commit() { // started. if (!drupal_session_started()) { drupal_session_start(); - if ($is_https && variable_get('https', FALSE)) { + if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) { $insecure_session_name = substr(session_name(), 1); $params = session_get_cookie_params(); $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; @@ -351,7 +351,7 @@ function drupal_session_regenerate() { return; } - if ($is_https && variable_get('https', FALSE)) { + if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) { $insecure_session_name = substr(session_name(), 1); if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) { $old_insecure_session_id = $_COOKIE[$insecure_session_name]; @@ -380,7 +380,7 @@ function drupal_session_regenerate() { $fields['ssid'] = session_id(); // If the "secure pages" setting is enabled, use the newly-created // insecure session identifier as the regenerated sid. - if (variable_get('https', FALSE)) { + if (settings()->get('mixed_mode_sessions', FALSE)) { $fields['sid'] = $session_id; } } @@ -440,7 +440,7 @@ function _drupal_session_destroy($sid) { if ($is_https) { _drupal_session_delete_cookie(substr(session_name(), 1), FALSE); } - elseif (variable_get('https', FALSE)) { + elseif (settings()->get('mixed_mode_sessions', FALSE)) { _drupal_session_delete_cookie('S' . session_name(), TRUE); } } diff --git a/core/modules/language/language.negotiation.inc b/core/modules/language/language.negotiation.inc index 6565c6d..ca41c78 100644 --- a/core/modules/language/language.negotiation.inc +++ b/core/modules/language/language.negotiation.inc @@ -480,7 +480,7 @@ function language_url_rewrite_url(&$path, &$options) { $options['base_url'] .= ':' . $port; } - if (isset($options['https']) && variable_get('https', FALSE)) { + if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) { if ($options['https'] === TRUE) { $options['base_url'] = str_replace('http://', 'https://', $options['base_url']); } diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index b2fbc90..f58bf28 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -439,6 +439,14 @@ # $settings['allow_authorize_operations'] = FALSE; /** + * Mixed-mode sessions: + * + * Set to TRUE to create both secure and insecure sessions when using HTTPS. + * Defaults to FALSE. + */ +# $settings['mixed_mode_sessions'] = TRUE; + +/** * Base URL (optional). * * If Drupal is generating incorrect URLs on your site, which could