diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php index 706e7ab..bba50de 100644 --- a/core/lib/Drupal/Core/Session/SessionManager.php +++ b/core/lib/Drupal/Core/Session/SessionManager.php @@ -125,10 +125,6 @@ public function start() { global $_session_user; $_session_user = new AnonymousUserSession(); - // Randomly generate a session identifier for this request. This is - // necessary because \Drupal\user\SharedTempStoreFactory::get() wants to - // know the future session ID of a lazily started session in advance. - // // @todo: With current versions of PHP there is little reason to generate // the session id from within application code. Consider using the // default php session id instead of generating a custom one: @@ -211,8 +207,6 @@ public function save() { * {@inheritdoc} */ public function regenerate($destroy = FALSE, $lifetime = NULL) { - $user = \Drupal::currentUser(); - // Nothing to do if we are not allowed to change the session. if ($this->isCli()) { return; @@ -227,7 +221,7 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) { if ($this->isStarted()) { $old_session_id = $this->getId(); } - session_id(Crypt::randomBytesBase64()); + session_regenerate_id(); $this->getMetadataBag()->clearCsrfTokenSeed(); diff --git a/core/modules/user/src/PrivateTempStore.php b/core/modules/user/src/PrivateTempStore.php index e99d5fc..9e8e716 100644 --- a/core/modules/user/src/PrivateTempStore.php +++ b/core/modules/user/src/PrivateTempStore.php @@ -7,6 +7,7 @@ namespace Drupal\user; +use Drupal\Component\Utility\Crypt; use Drupal\Component\Utility\String; use Drupal\Core\KeyValueStore\KeyValueStoreExpirableInterface; use Drupal\Core\Lock\LockBackendInterface; @@ -56,13 +57,6 @@ class PrivateTempStore { protected $currentUser; /** - * The request stack. - * - * @var \Symfony\Component\HttpFoundation\RequestStack - */ - protected $requestStack; - - /** * The time to live for items in seconds. * * By default, data is stored for one week (604800 seconds) before expiring. @@ -80,16 +74,15 @@ class PrivateTempStore { * of key/value pairs. * @param \Drupal\Core\Lock\LockBackendInterface $lockBackend * The lock object used for this data. - * @param mixed $owner - * The owner key to store along with the data (e.g. a user or session ID). + * @param \Drupal\Core\Session\AccountProxyInterface $current_user + * The current user. * @param int $expire * The time to live for items, in seconds. */ - public function __construct(KeyValueStoreExpirableInterface $storage, LockBackendInterface $lockBackend, AccountProxyInterface $current_user, RequestStack $request_stack, $expire = 604800) { + public function __construct(KeyValueStoreExpirableInterface $storage, LockBackendInterface $lockBackend, AccountProxyInterface $current_user, $expire = 604800) { $this->storage = $storage; $this->lockBackend = $lockBackend; $this->currentUser = $current_user; - $this->requestStack = $request_stack; $this->expire = $expire; } @@ -211,6 +204,14 @@ protected function createkey($key) { * The owner. */ protected function getOwner() { - return $this->currentUser->id() ?: $this->requestStack->getCurrentRequest()->getSession()->getId(); + if ($this->currentUser->isAuthenticated()) { + return $this->currentUser->id(); + } + // Anonymous users needs special handling. + if (!isset($_SESSION['user_private_owner'])) { + $_SESSION['user_private_owner'] = Crypt::randomBytesBase64(); + } + return $_SESSION['user_private_owner']; } + } diff --git a/core/modules/user/src/PrivateTempStoreFactory.php b/core/modules/user/src/PrivateTempStoreFactory.php index bd62633..52abbda 100644 --- a/core/modules/user/src/PrivateTempStoreFactory.php +++ b/core/modules/user/src/PrivateTempStoreFactory.php @@ -39,13 +39,6 @@ class PrivateTempStoreFactory { protected $currentUser; /** - * The request stack. - * - * @var \Symfony\Component\HttpFoundation\RequestStack - */ - protected $requestStack; - - /** * The time to live for items in seconds. * * @var int @@ -55,18 +48,19 @@ class PrivateTempStoreFactory { /** * Constructs a Drupal\user\PrivateTempStoreFactory object. * - * @param \Drupal\Core\Database\Connection $connection - * The connection object used for this data. + * @param \Drupal\Core\KeyValueStore\KeyValueExpirableFactoryInterface $storage_factory + * The storage factory creating the backend to store the data. * @param \Drupal\Core\Lock\LockBackendInterface $lockBackend * The lock object used for this data. + * @param \Drupal\Core\Session\AccountProxyInterface $current_user + * The current user. * @param int $expire * The time to live for items, in seconds. */ - function __construct(KeyValueExpirableFactoryInterface $storage_factory, LockBackendInterface $lockBackend, AccountProxyInterface $current_user, RequestStack $request_stack, $expire = 604800) { + function __construct(KeyValueExpirableFactoryInterface $storage_factory, LockBackendInterface $lockBackend, AccountProxyInterface $current_user, $expire = 604800) { $this->storageFactory = $storage_factory; $this->lockBackend = $lockBackend; $this->currentUser = $current_user; - $this->requestStack = $request_stack; $this->expire = $expire; } @@ -83,7 +77,7 @@ function __construct(KeyValueExpirableFactoryInterface $storage_factory, LockBac function get($collection) { // Store the data for this collection in the database. $storage = $this->storageFactory->get("user.private_tempstore.$collection"); - return new PrivateTempStore($storage, $this->lockBackend, $this->currentUser, $this->requestStack, $this->expire); + return new PrivateTempStore($storage, $this->lockBackend, $this->currentUser, $this->expire); } } diff --git a/core/modules/user/src/SharedTempStoreFactory.php b/core/modules/user/src/SharedTempStoreFactory.php index 3a18c4c..b2944a8 100644 --- a/core/modules/user/src/SharedTempStoreFactory.php +++ b/core/modules/user/src/SharedTempStoreFactory.php @@ -8,6 +8,7 @@ namespace Drupal\user; use Drupal\Component\Serialization\SerializationInterface; +use Drupal\Component\Utility\Crypt; use Drupal\Core\KeyValueStore\KeyValueExpirableFactoryInterface; use Drupal\Core\Lock\LockBackendInterface; @@ -71,7 +72,17 @@ function get($collection, $owner = NULL) { // Use the currently authenticated user ID or the active user ID unless // the owner is overridden. if (!isset($owner)) { - $owner = \Drupal::currentUser()->id() ?: session_id(); + $account = \Drupal::currentUser(); + if ($account->isAuthenticated()) { + $owner = $account->id(); + } + else { + // Anonymous users needs special handling. + if (!isset($_SESSION['user_shared_owner'])) { + $_SESSION['user_shared_owner'] = Crypt::randomBytesBase64(); + } + $owner = $_SESSION['user_shared_owner']; + } } // Store the data for this collection in the database. diff --git a/core/modules/user/user.services.yml b/core/modules/user/user.services.yml index 5bec22c..39e7237 100644 --- a/core/modules/user/user.services.yml +++ b/core/modules/user/user.services.yml @@ -60,7 +60,7 @@ services: arguments: ['@entity.manager', '@password'] user.private_tempstore: class: Drupal\user\PrivateTempStoreFactory - arguments: ['@keyvalue.expirable', '@lock', '@current_user', '@request_stack', '%user.tempstore.expire%'] + arguments: ['@keyvalue.expirable', '@lock', '@current_user', '%user.tempstore.expire%'] tags: - { name: backend_overridable } user.shared_tempstore: