diff options
author | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-04 05:05:52 +0000 |
---|---|---|
committer | Angie Byron <webchick@24967.no-reply.drupal.org> | 2009-11-04 05:05:52 +0000 |
commit | 36adc757f92c4290f73725aea6aa90cdd461ddd4 (patch) | |
tree | 4f81e241435627a59ce8bf37eb3bd2f5e0fa5843 /includes/session.inc | |
parent | 59b7e23b566013829bf628c2c188e02f776c965d (diff) | |
download | brdo-36adc757f92c4290f73725aea6aa90cdd461ddd4.tar.gz brdo-36adc757f92c4290f73725aea6aa90cdd461ddd4.tar.bz2 |
#575280 follow-up by mfb and chx: Fixed impersonation attack when an https session exists.
Diffstat (limited to 'includes/session.inc')
-rw-r--r-- | includes/session.inc | 15 |
1 files changed, 11 insertions, 4 deletions
diff --git a/includes/session.inc b/includes/session.inc index 60d5d54a4..51e40ac75 100644 --- a/includes/session.inc +++ b/includes/session.inc @@ -151,12 +151,19 @@ function _drupal_session_write($sid, $value) { 'session' => $value, 'timestamp' => REQUEST_TIME, ); - $insecure_session_name = substr(session_name(), 1); - if ($is_https && isset($_COOKIE[$insecure_session_name])) { - $fields['sid'] = $_COOKIE[$insecure_session_name]; + $key = array('sid' => $sid); + if ($is_https) { + $key['ssid'] = $sid; + $insecure_session_name = substr(session_name(), 1); + // The "secure pages" setting allows a site to simultaneously use both + // secure and insecure session cookies. If enabled, use the insecure session + // identifier as the sid. + if (variable_get('https', FALSE) && isset($_COOKIE[$insecure_session_name])) { + $key['sid'] = $_COOKIE[$insecure_session_name]; + } } db_merge('sessions') - ->key(array($is_https ? 'ssid' : 'sid' => $sid)) + ->key($key) ->fields($fields) ->execute(); |