By default, PHP has its session cookie lifetime set to 0 (http://hu.php.net/manual/en/session.configuration.php#ini.session.cookie...). That means, that the cookie expires when the browser is closed. If your Drupal environment runs on such an out-of-the box PHP setup, the latest session code will set a session that (instead of expiring when the browser is closed), expires right when it it set, and Drupal will not get it back on the next request.

This is because Drupal now uses this code to set the cookie:

    $params = session_get_cookie_params();
    setcookie(session_name(), session_id(), REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);

So if the lifetime is 0 as is the default, the REQUEST_TIME is the expiration time, so the browser will expire the cookie immediately. We should consider the case when this is 0 and pass on 0 consequently. The attached patch implements that.

CommentFileSizeAuthor
#8 drupal.session-lifetime-wrap-ya.8.patch1.13 KBsun
#4 846330_session_expire_cookie.patch1.52 KBJacobSingh
expire-cookie.patch1.29 KBGábor Hojtsy
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

JacobSingh’s picture

JacobSingh CreditAttribution: JacobSingh commented
Status: Needs review » Reviewed & tested by the community

This looks obviously broken to me and the patches seems correct.

Damien Tournoud’s picture

Damien Tournoud CreditAttribution: Damien Tournoud commented
Priority: Critical » Normal

Clearly not critical. The standard default.settings.php file has:

ini_set('session.cookie_lifetime', 2000000);

Otherwise, that's definitely an oversight that needs fixing.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Needs work

Let's add a simple code comment, please.

JacobSingh’s picture

JacobSingh CreditAttribution: JacobSingh commented
Status: Needs work » Needs review
FileSize
846330_session_expire_cookie.patch1.52 KB

How's this?

Gábor Hojtsy’s picture

Gábor Hojtsy
he/him
Primary language Hungarian
Location Hungary
CreditAttribution: Gábor Hojtsy commented
Status: Needs review » Reviewed & tested by the community

Looks good to me.

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Thanks. Committed to CVS HEAD.

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented 
+++ includes/session.inc
@@ -309,7 +309,10 @@ function drupal_session_regenerate() {
+    // If the session cookie lifetime is set, the session will expire $params['lifetime'] seconds from the current request.
+    // If it is not set, it will expire when the browser is closed.

Heavily exceeds 80 chars.

40 critical left. Go review some!

sun’s picture

sun
Primary language German
Location Karlsruhe
CreditAttribution: sun commented
Status: Fixed » Reviewed & tested by the community
FileSize
drupal.session-lifetime-wrap-ya.8.patch1.13 KB
grendzy’s picture

grendzy CreditAttribution: grendzy commented
Issue tags: +Quick fix, +Documentation

+1

Dries’s picture

Dries CreditAttribution: Dries commented
Status: Reviewed & tested by the community » Fixed

Committed to CVS HEAD. Thanks.

Status: Fixed » Closed (fixed)
Issue tags: -Quick fix, -Documentation

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue tags: +Quick fix, +Documentation

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.