I think we should consider moving the responsibility for global $user out of session.inc entirely. This is related to #335411: Switch to Symfony2-based session handling.

So in this case session.inc would just try to find a valid session based on the cookie.

Then user_boot() and user_exit() would figure out from the session if the user is authenticated or anonymous or not. We could probably move the uid to a value in the session data rather than a database column as well.

There's existing discussion about refactoring our session handling in general at #335411: Switch to Symfony2-based session handling but this feels like a smaller patch that could simplify that process a lot.

Comments

sdboyer’s picture

sdboyer commented

I agree. Detangling global $user from the session lets us handle these problems in isolation, which does make things cleaner.

Seems like this patch might be a good place to introduce the user wrapper to replace the global. That idea was in some of the original patches from #335411: Switch to Symfony2-based session handling, and is a mighty nice addition, especially for testing.

Anonymous’s picture

Anonymous (not verified) commented

yep, big me too on getting $user outta there.

sun’s picture

sun
Primary language German
Location Karlsruhe
commented

This issue almost sounds like a duplicate of #1549526: Change global $user into $session

znerol’s picture

znerol commented
Issue summary: View changes
Status: Active » Closed (duplicate)
Related issues: +#2228393: Decouple session from cookie based user authentication