? 328781-follow-up_3.patch ? anon-sessions-11.patch ? anon-sessions-etc.patch ? assertTitle-1.patch ? cache-gzip-4.patch ? css-preprocess-1-filemtime.patch ? custom_url_rewrite_outbound-3.patch ? file_238299.patch ? file_255551_3pre.patch ? file_create_url-17.patch ? file_create_url-18.patch ? ini_set-1.patch ? ini_set-2.patch ? reply-to-d5-1.patch ? reply-to-d6-1.patch ? show-tables-2.patch ? streamwrapper-D7-28.patch ? streamwrapper-D7-29.patch ? strict-2.patch ? strict-error-reporting-1.patch ? x ? modules/simpletest/tests/file_dummy_stream_wrapper.inc ? sites/chsc-drupal.dev.peytz.dk ? sites/sites.php ? sites/all/modules ? sites/default/files Index: includes/bootstrap.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/bootstrap.inc,v retrieving revision 1.258 diff -u -9 -p -r1.258 bootstrap.inc --- includes/bootstrap.inc 20 Dec 2008 18:24:32 -0000 1.258 +++ includes/bootstrap.inc 23 Dec 2008 15:10:36 -0000 @@ -397,18 +397,24 @@ function drupal_initialize_variables() { // Override PHP settings required for Drupal to work properly. // sites/default/default.settings.php contains more runtime settings. // The .htaccess file contains settings that cannot be changed at runtime. // Prevent PHP from generating HTML error messages. ini_set('html_errors', 0); // Don't escape quotes when reading files from the database, disk, etc. ini_set('magic_quotes_runtime', '0'); + // Use session cookies, not transparent sessions that puts the session id in + // the query string. + ini_set('session.use_only_cookies', '1'); + ini_set('session.use_trans_sid', '1'); + // Don't send HTTP headers using PHP's session handler. + ini_set('session.cache_limiter', 'none'); } /** * Validate that $_SERVER['HTTP_HOST'] is safe. * * As $_SERVER['HTTP_HOST'] is user input, ensure it only contains characters * allowed in hostnames. See RFC 952 (and RFC 2181). $_SERVER['HTTP_HOST'] is * lowercased. * Index: sites/default/default.settings.php =================================================================== RCS file: /cvs/drupal/drupal/sites/default/default.settings.php,v retrieving revision 1.17 diff -u -9 -p -r1.17 default.settings.php --- sites/default/default.settings.php 22 Nov 2008 16:48:20 -0000 1.17 +++ sites/default/default.settings.php 23 Dec 2008 15:10:37 -0000 @@ -188,29 +188,32 @@ $update_free_access = FALSE; /** * PHP settings: * * To see what PHP settings are possible, including whether they can be set at * runtime (by using ini_set()), read the PHP documentation: * http://www.php.net/manual/en/ini.php#ini.list * See drupal_initialize_variables() in includes/bootstrap.inc for required * runtime settings and the .htaccess file for non-runtime settings. Settings * defined there should not be duplicated here so as to avoid conflict issues. + * + * Set session lifetime (in seconds), i.e. the time from the user's last visit + * to the active session may be deleted by the session garbage collector. When + * a session is deleted, authenticated users are logged out, and the contents + * of the user's $_SESSION variable is discarded. + */ +ini_set('session.gc_maxlifetime', 200000); + +/** + * Set session cookie lifetime (in seconds), i.e. the time from the session is + * created to the cookie expires, i.e. when the browser is expected to discard + * the cookie. The value 0 means "until the browser is closed". */ -ini_set('arg_separator.output', '&'); -ini_set('magic_quotes_sybase', 0); -ini_set('session.cache_expire', 200000); -ini_set('session.cache_limiter', 'none'); -ini_set('session.cookie_lifetime', 2000000); -ini_set('session.gc_maxlifetime', 200000); -ini_set('session.save_handler', 'user'); -ini_set('session.use_only_cookies', 1); -ini_set('session.use_trans_sid', 0); -ini_set('url_rewriter.tags', ''); +ini_set('session.cookie_lifetime', 2000000); /** * Drupal automatically generates a unique session cookie name for each site * based on on its full domain name. If you have multiple domains pointing at * the same Drupal site, you can either redirect them all to a single domain * (see comment in .htaccess), or uncomment the line below and specify their * shared base domain. Doing so assures that users remain logged in as they * cross between your various domains. */