- Usage scenario:
A online shop that allows users to buy products without having to register for an account.
The user browses products, adds products to the cart and does an checkout. Browsing works over http - the checkout uses https.
After the customer has done the checkout he continues browsing and then wants to buy another product, but as soon as he tries to enter the checkout the cart (session) is lost.
- Technical scenario:
The user switches several times between http and https. With the current implementation of the session handling this isn't not supported.
We end up with a "duplicated" entry in the sessions table.
I think this post is about the same scenario: http://drupal.org/node/575280#comment-3694746
On a step up from http to https this seems not to be a big problem, but what is with a step down from https to http?
The session contents could be security (permission) relevant.
Would this approach open a new attack vector?
When do we have to do a session regenerate to prevent the possibility of session hijacking?
Changes in the attached patch:
Use only the
sidas key on http connections. This prevents a duplicated session when stepping down from https to http.
On initially stepping up from http to https use only the
sidas key since
ssiddoesn't exist in the table. But make sure the
This code needs definitely a review - I don't like how I've to check if it's an initial step up :|
FAILED: [[SimpleTest]]: [MySQL] 34,099 pass(es), 29 fail(s), and 11 exception(es). View
FAILED: [[SimpleTest]]: [MySQL] 33,950 pass(es), 8 fail(s), and 0 exception(es). View
FAILED: [[SimpleTest]]: [MySQL] Unable to apply patch drupal-session-handling-https-step-down-support-1131986-9_0.patch. This may be a -p0 (old style) patch, which is no longer supported by the testbots. View
FAILED: [[SimpleTest]]: [MySQL] Invalid patch format in drupal-session-handling-https-step-down-support.patch. View