By default, PHP has its session cookie lifetime set to 0 (http://hu.php.net/manual/en/session.configuration.php#ini.session.cookie...). That means, that the cookie expires when the browser is closed. If your Drupal environment runs on such an out-of-the box PHP setup, the latest session code will set a session that (instead of expiring when the browser is closed), expires right when it it set, and Drupal will not get it back on the next request.
This is because Drupal now uses this code to set the cookie:
$params = session_get_cookie_params();
setcookie(session_name(), session_id(), REQUEST_TIME + $params['lifetime'], $params['path'], $params['domain'], $params['secure'], $params['httponly']);
So if the lifetime is 0 as is the default, the REQUEST_TIME is the expiration time, so the browser will expire the cookie immediately. We should consider the case when this is 0 and pass on 0 consequently. The attached patch implements that.
Comment | File | Size | Author |
---|---|---|---|
#8 | drupal.session-lifetime-wrap-ya.8.patch | 1.13 KB | sun |
#4 | 846330_session_expire_cookie.patch | 1.52 KB | JacobSingh |
expire-cookie.patch | 1.29 KB | Gábor Hojtsy | |
Comments
Comment #1
JacobSingh CreditAttribution: JacobSingh commentedThis looks obviously broken to me and the patches seems correct.
Comment #2
Damien Tournoud CreditAttribution: Damien Tournoud commentedClearly not critical. The standard default.settings.php file has:
Otherwise, that's definitely an oversight that needs fixing.
Comment #3
Dries CreditAttribution: Dries commentedLet's add a simple code comment, please.
Comment #4
JacobSingh CreditAttribution: JacobSingh commentedHow's this?
Comment #5
Gábor HojtsyLooks good to me.
Comment #6
Dries CreditAttribution: Dries commentedThanks. Committed to CVS HEAD.
Comment #7
sunHeavily exceeds 80 chars.
40 critical left. Go review some!
Comment #8
sunComment #9
grendzy CreditAttribution: grendzy commented+1
Comment #10
Dries CreditAttribution: Dries commentedCommitted to CVS HEAD. Thanks.