Problem/Motivation
Users can implement their own custom session handler systems by setting the 'session_inc' variable to something other than the default "includes/session.inc". This setting isn't respected by authorize.php however, which has a hard coded include to "includes/session.inc".
This leads to either fatal errors (if the custom session handler doesn't check if the default handler is loaded) or failed session loading (if it does check).
Proposed resolution
Remove hard coded include to "includes/session.inc" in authorize.php and let the session handler be loaded properly by the bootstrap process.
Remaining tasks
Write patch for D7 and D8.-
Community to test patch(es) #1.- Install Drupal 7 or 8 – standard profile
- Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
- Ensure that the message "It appears you have reached this page in error." appears.
-
Create the file '/custom_session.inc' with the following contents:
<?php function drupal_session_initialize() { echo('Custom session handler was called.'); exit(); }
-
Add the following line to /sites/default/settings.php:
$conf['session_inc'] = 'custom_session.inc';
- Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
- Ensure that the fatal error "Cannot redeclare drupal_session_initialize()" occurs.
- Apply relevant patch #1.
- Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
- Ensure that the message "Custom session handler was called." appears.
Commit patches to D7 and D8.
User interface changes
None.
API changes
None.
Comment | File | Size | Author |
---|---|---|---|
#1 | D7_core-authorize.php_sessions-1399168-2.patch | 482 bytes | Akaoni |
#1 | D8_core-authorize.php_sessions-1399168-2.patch | 527 bytes | Akaoni |
Comments
Comment #1
Akaoni CreditAttribution: Akaoni commentedD7 and D8 patches:
Comment #2
Akaoni CreditAttribution: Akaoni commentedChange to D7 to test patch.
Comment #3
Akaoni CreditAttribution: Akaoni commented#1: D7_core-authorize.php_sessions-1399168-2.patch queued for re-testing.
Comment #4
Akaoni CreditAttribution: Akaoni commentedBack to D8.
Comment #5
Akaoni CreditAttribution: Akaoni commentedUpdated issue summary and added test plan.
Comment #7
ryan.gibson CreditAttribution: ryan.gibson commentedI followed the steps listed, the patch in #1 applied cleanly. After applying the patch, I got the "Custom session handler was called." text.
Comment #8
ryan.gibson CreditAttribution: ryan.gibson commentedI should have clarified, I test both the D8 and D7 patches and got the same results.
Comment #9
Dries CreditAttribution: Dries commentedThis seems like the correct fix. Leaving it as RTBC for more people to review.
Comment #10
Akaoni CreditAttribution: Akaoni commented@ryanissamson: Thanks for testing this, mate!! ;)
@Dries: Thanks for weighing in!!
Comment #11
catchLooks good to me. Committed/pushed to 8.x. CNR for 7.x.
Comment #12
Akaoni CreditAttribution: Akaoni commentedThanks catch.
As stated in #8, this has already been reviewed and tested for D7.
Comment #12.0
Akaoni CreditAttribution: Akaoni commentedPatches written.
Added test plan.
Comment #13
David_Rothstein CreditAttribution: David_Rothstein commentedCommitted to 7.x - thanks! http://drupalcode.org/project/drupal.git/commit/25c2521
Comment #13.0
David_Rothstein CreditAttribution: David_Rothstein commentedUpdated remaining tasks.
Comment #14.0
(not verified) CreditAttribution: commentedUpdate remaining tasks.