diff --git a/core/core.services.yml b/core/core.services.yml
index c8851dd..5613f5e 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -721,11 +721,6 @@ services:
factory_service: authentication
arguments: ['@request']
synchronized: true
- session_handler:
- class: Drupal\Core\Session\SessionHandler
- arguments: ['@request', '@database']
- tags:
- - { name: persist }
asset.css.collection_renderer:
class: Drupal\Core\Asset\CssCollectionRenderer
arguments: [ '@state' ]
diff --git a/core/includes/session.inc b/core/includes/session.inc
index 96b141c..4c9b14b 100644
--- a/core/includes/session.inc
+++ b/core/includes/session.inc
@@ -9,7 +9,6 @@
use Drupal\Component\Utility\Settings;
use Drupal\Core\Session\AnonymousUserSession;
use Drupal\Core\Session\SessionHandler;
-use Drupal\Core\Utility\Error;
/**
* Initializes the session handler, starting a session if needed.
@@ -22,7 +21,8 @@ function drupal_session_initialize() {
}
// Register the default session handler.
- $handler = \Drupal::service('session_handler');
+ // @todo: Extract session storage from session handler into a service.
+ $handler = new SessionHandler(\Drupal::request(), \Drupal::database());
session_set_save_handler($handler, TRUE);
$is_https = \Drupal::request()->isSecure();
diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php
index 2c4c9f9..8b51764 100644
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -10,7 +10,6 @@
use Drupal\Component\Utility\Crypt;
use Drupal\Component\Utility\Settings;
use Drupal\Core\Database\Connection;
-use Drupal\Core\DestructableInterface;
use Drupal\Core\Utility\Error;
use Symfony\Component\HttpFoundation\Request;
@@ -62,9 +61,6 @@ public function open($save_path, $name) {
/**
* {@inheritdoc}
- *
- * Initializes the global $user object for the user associated with the
- * session.
*/
public function read($sid) {
global $user;
@@ -79,16 +75,20 @@ public function read($sid) {
}
// Otherwise, if the session is still active, we have a record of the
- // client's session in the database. If it's HTTPS then we are either have
- // a HTTPS session or we are about to log in so we check the sessions table
+ // client's session in the database. If it's HTTPS then we are either have a
+ // HTTPS session or we are about to log in so we check the sessions table
// for an anonymous session with the non-HTTPS-only cookie. The session ID
- // that is in the user's cookie is hashed before being stored in the database
- // as a security measure. Thus, we have to hash it to match the database.
+ // that is in the user's cookie is hashed before being stored in the
+ // database as a security measure. Thus, we have to hash it to match the
+ // database.
if ($this->request->isSecure()) {
+ // Try to load a session using the HTTPS-only secure session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(
':ssid' => Crypt::hashBase64($sid),
))->fetchAssoc();
if (!$values) {
+ // Fallback and try to load the anonymous non-HTTPS session. Use the
+ // non-HTTPS session id as the key.
if ($cookies->has($insecure_session_name)) {
$values = $this->connection->query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array(
':sid' => Crypt::hashBase64($cookies->get($insecure_session_name)),
@@ -97,6 +97,7 @@ public function read($sid) {
}
}
else {
+ // Try to load a session using the non-HTTPS session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(
':sid' => Crypt::hashBase64($sid),
))->fetchAssoc();
@@ -143,14 +144,16 @@ public function write($sid, $value) {
// manually.
try {
if (!drupal_save_session()) {
- // We don't have anything to do if we are not allowed to save the session.
+ // We don't have anything to do if we are not allowed to save the
+ // session.
return TRUE;
}
// Check whether $_SESSION has been changed in this request.
$is_changed = empty($this->lastRead) || $this->lastRead['sid'] != $sid || $this->lastRead['value'] !== $value;
// For performance reasons, do not update the sessions table, unless
- // $_SESSION has changed or more than 180 has passed since the last update.
+ // $_SESSION has changed or more than 180 has passed since the last
+ // update.
$needs_update = !$user->getLastAccessedTime() || REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180);
if ($is_changed || $needs_update) {
@@ -170,8 +173,8 @@ public function write($sid, $value) {
$key['ssid'] = Crypt::hashBase64($sid);
$cookies = $this->request->cookies;
// The "secure pages" setting allows a site to simultaneously use both
- // secure and insecure session cookies. If enabled and both cookies are
- // presented then use both keys. The session ID from the cookie is
+ // secure and insecure session cookies. If enabled and both cookies
+ // are presented then use both keys. The session ID from the cookie is
// hashed before being stored in the database as a security measure.
if (Settings::get('mixed_mode_sessions', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
@@ -192,7 +195,7 @@ public function write($sid, $value) {
if ($user->isAuthenticated() && REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180)) {
$this->connection->update('users')
->fields(array(
- 'access' => REQUEST_TIME
+ 'access' => REQUEST_TIME,
))
->condition('uid', $user->id())
->execute();
@@ -201,8 +204,8 @@ public function write($sid, $value) {
}
catch (\Exception $exception) {
require_once DRUPAL_ROOT . '/core/includes/errors.inc';
- // If we are displaying errors, then do so with no possibility of a further
- // uncaught exception being thrown.
+ // If we are displaying errors, then do so with no possibility of a
+ // further uncaught exception being thrown.
if (error_displayable()) {
print 'Uncaught exception thrown in session handler.
';
print '' . Error::renderExceptionSafe($exception) . '
';