diff --git a/mongodb_session/mongodb_session.inc b/mongodb_session/mongodb_session.inc index 3c6db5f..f39af63 100644 --- a/mongodb_session/mongodb_session.inc +++ b/mongodb_session/mongodb_session.inc @@ -316,6 +316,11 @@ function drupal_session_started($set = NULL) { */ function drupal_session_regenerate() { global $user, $is_https; + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + if ($is_https && variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) { @@ -364,6 +369,11 @@ function drupal_session_regenerate() { function _drupal_session_destroy($sid) { global $user, $is_https; + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + $field = $is_https ? 'ssid' : 'sid'; mongodb_collection(variable_get('mongodb_session', 'session')) ->remove(array($field => $sid), mongodb_default_write_options(FALSE)); @@ -410,6 +420,11 @@ function _drupal_session_delete_cookie($name, $secure = NULL) { * User ID. */ function drupal_session_destroy_uid($uid) { + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + mongodb_collection(variable_get('mongodb_session', 'session')) ->remove(array('uid' => $uid), mongodb_default_write_options(FALSE)); } @@ -450,7 +465,10 @@ function _drupal_session_garbage_collection($lifetime) { * FALSE if writing session data has been disabled. Otherwise, TRUE. */ function drupal_save_session($status = NULL) { - $save_session = &drupal_static(__FUNCTION__, TRUE); + // PHP session ID, session, and cookie handling happens in the global scope. + // This value has to persist across calls to drupal_static_reset(), since a + // potentially wrong or disallowed session would be written otherwise. + static $save_session = TRUE; if (isset($status)) { $save_session = $status; }