Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
All callbacks in the session manager that start, save or regenerate a session check whether the application runs in a cli environment and if that is the case no session is actually started. The destroy
callback lacks this check.
Steps to reproduce
I've put together a simple browser test that that displays this behaviour.
Proposed resolution
Add the if ($this->isCli()) {
check to the destroy method.
Comment | File | Size | Author |
---|---|---|---|
#6 | interdiff.txt | 1.39 KB | raman.b |
#6 | 3172757-6.patch | 1.34 KB | raman.b |
session_destroy_from_cli_with_test.patch | 1.38 KB | Erik Frèrejean | |
session_destroy_from_cli_fix_only.patch | 477 bytes | Erik Frèrejean | |
session_destroy_from_cli_current_behavior.patch | 935 bytes | Erik Frèrejean | |
Comments
Comment #3
Erik FrèrejeanComment #4
liesm CreditAttribution: liesm as a volunteer commentedThat seems like a reasonable change and with the provided tests being green this can be RTBC'ed.
Comment #5
alexpottShould be moved to core/tests/Drupal/KernelTests/Core/Session directory and have
namespace Drupal\KernelTests\Core\Session;
as a namespace.@group Session
Can be a Kernel test - ie extend from KernelTestBase
Tests starting and destroying a session from the CLI.
Comment #6
raman.b CreditAttribution: raman.b at OpenSense Labs commentedAddressing pointers from #5
Not sure if it's relevant in CLI context, but there is one usage of
\Drupal::service('session_manager')->destroy();
inuser_logout()
other thanDrupal\Core\Session\SessionManager
itself.Comment #8
Erik Frèrejean@alexpott
Well consistency is one. The main reason I found this was when creating tests for a bit of logic that forces a logout before continuing. We call
user_logout()
at that point, which in turn hard calls\Drupal::service('session_manager')->destroy();
. Logging in a user from the CLI isn't a problem because all those methods have theif ($this->isCli()) {
construct. So you'll end up with a user that identifies as authenticated but without a session.The alternative is that we check for the existence of a session but IMO that should be responsibility of the session manager, especially because it already handles that case for all other session calls.
@raman.b thanks for the update.
Comment #9
alexpottI'd love to see a SessionManager without all the isCli checks - but in lieu of that the consistency argument is persuasive.
Committed and pushed eb75aa3d3d to 9.2.x and 8146809d28 to 9.1.x. Thanks!