Problem/Motivation

There are lots of problems with SessionManager but regenerate talks to the database.

Proposed resolution

Move the code talking to the database in a method. This is the absolute minimum that can be possibly written to make SessionManager overridable. After that you need a new constructor and override delete but delete is small so no worries there and the constructor is service dependent anyways.

Remaining tasks

User interface changes

API changes

CommentFileSizeAuthor
#2 interdiff.txt1.66 KBchx
#2 2371875_2.patch3.76 KBchx
session_overrideable.patch3.71 KBchx
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

znerol’s picture

znerol CreditAttribution: znerol commented

There are lots of problems with SessionManager

Indeed. And it is sad that it takes ages for session-patches to get committed.

  1. +++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -406,4 +395,32 @@ protected function getSessionDataMask() {
+   * @param $old_session_id
...
+   * @param $is_https
...
+   * @param $new_insecure_session_id

    Missing type-hints in @param annotation: string, bool, string. 

  2. +++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -406,4 +395,32 @@ protected function getSessionDataMask() {
+  protected function regenerateStorage($old_session_id, $is_https, $new_insecure_session_id) {

    Perhaps use migrateStoredSession. "Migrate" is the term used in the public facing API (SessionInterface).

chx’s picture

chx CreditAttribution: chx commented
Title: session_manager can not be overridden » session_manager can't be reasonably overridden
FileSize
2371875_2.patch3.76 KB
interdiff.txt1.66 KB
znerol’s picture

znerol CreditAttribution: znerol commented
Status: Needs review » Reviewed & tested by the community
alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
CreditAttribution: alexpott commented
Status: Reviewed & tested by the community » Fixed

This issue is a normal bug fix, and doesn't include any disruptive changes, so it is allowed per https://www.drupal.org/core/beta-changes. Committed 44f8f78 and pushed to 8.0.x. Thanks!

diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 4eb9ff5..5bf7d10 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -410,7 +410,7 @@ protected function getSessionDataMask() {
   protected function migrateStoredSession($old_session_id, $is_https, $new_insecure_session_id) {
     $fields = array('sid' => Crypt::hashBase64($this->getId()));
     if ($is_https) {
-      $fields['ssid'] = Crypt::hashBase64($this->getId());
+      $fields['ssid'] = $fields['sid'];
       // If the "secure pages" setting is enabled, use the newly-created
       // insecure session identifier as the regenerated sid.
       if ($this->isMixedMode()) {

Tiny optimisation fix on commit - so we're not hashing the same value twice within the space of 3 lines of code.

  • alexpott committed 44f8f78 on 8.0.x 
    Issue #2371875 by chx: Fixed session_manager can't be reasonably...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.