diff options
author | webchick <webchick@24967.no-reply.drupal.org> | 2012-08-18 14:10:10 +0200 |
---|---|---|
committer | webchick <webchick@24967.no-reply.drupal.org> | 2012-08-18 14:10:10 +0200 |
commit | 18300548118660251a07de4afbe440b92d696599 (patch) | |
tree | 9ad0bdd180a9a6cd352bd0142d63a2a9da546748 /includes/session.inc | |
parent | a967540ff1aad558379d96fca96e1c11206710da (diff) | |
download | brdo-18300548118660251a07de4afbe440b92d696599.tar.gz brdo-18300548118660251a07de4afbe440b92d696599.tar.bz2 |
Issue #1688036 by lucascaro, sun: Fixed Session regenerate and destroy functions do not adhere to drupal_save_session().
Diffstat (limited to 'includes/session.inc')
-rw-r--r-- | includes/session.inc | 20 |
1 files changed, 19 insertions, 1 deletions
diff --git a/includes/session.inc b/includes/session.inc index 8f1bcafc4..b04c18eb3 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -349,6 +349,11 @@ function drupal_session_started($set = NULL) { */ function drupal_session_regenerate() { global $user, $is_https; + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + if ($is_https && variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) { @@ -418,6 +423,11 @@ function drupal_session_regenerate() { function _drupal_session_destroy($sid) { global $user, $is_https; + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + // Delete session data. db_delete('sessions') ->condition($is_https ? 'ssid' : 'sid', $sid) @@ -465,6 +475,11 @@ function _drupal_session_delete_cookie($name, $secure = NULL) { * User ID. */ function drupal_session_destroy_uid($uid) { + // Nothing to do if we are not allowed to change the session. + if (!drupal_save_session()) { + return; + } + db_delete('sessions') ->condition('uid', $uid) ->execute(); @@ -507,7 +522,10 @@ function _drupal_session_garbage_collection($lifetime) { * FALSE if writing session data has been disabled. Otherwise, TRUE. */ function drupal_save_session($status = NULL) { - $save_session = &drupal_static(__FUNCTION__, TRUE); + // PHP session ID, session, and cookie handling happens in the global scope. + // This value has to persist across calls to drupal_static_reset(), since a + // potentially wrong or disallowed session would be written otherwise. + static $save_session = TRUE; if (isset($status)) { $save_session = $status; } |