? includes/nocookies.patch Index: includes/common.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/common.inc,v retrieving revision 1.611.2.12 diff -u -r1.611.2.12 common.inc --- includes/common.inc 17 Oct 2007 21:28:59 -0000 1.611.2.12 +++ includes/common.inc 1 Nov 2007 19:32:12 -0000 @@ -300,6 +300,16 @@ extract(parse_url(urldecode($_REQUEST['edit']['destination']))); } + if (ini_get('session.use_trans_sid') && session_id() && !strstr($query, session_id())) { + $sid = session_name() . '=' . session_id(); + if (!empty($query) && !strstr($query, $sid)) { + $query = $query .'&'. $sid; + } + else { + $query = $sid; + } + } + $url = url($path, $query, $fragment, TRUE); // Remove newlines from the URL to avoid header injection attacks. $url = str_replace(array("\n", "\r"), '', $url); Index: includes/session.inc =================================================================== RCS file: /cvs/drupal/drupal/includes/session.inc,v retrieving revision 1.37.2.2 diff -u -r1.37.2.2 session.inc --- includes/session.inc 26 Jul 2007 19:16:45 -0000 1.37.2.2 +++ includes/session.inc 1 Nov 2007 19:32:12 -0000 @@ -22,12 +22,6 @@ // So we are moving session closure before destructing objects. register_shutdown_function('session_write_close'); - // Handle the case of first time visitors and clients that don't store cookies (eg. web crawlers). - if (!isset($_COOKIE[session_name()])) { - $user = drupal_anonymous_user(); - return ''; - } - // Otherwise, if the session is still active, we have a record of the client's session in the database. $user = db_fetch_object(db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = '%s'", $key)); @@ -56,22 +50,10 @@ function sess_write($key, $value) { global $user; - // If saving of session data is disabled or if the client doesn't have a session, - // and one isn't being created ($value), do nothing. - if (!session_save_session() || (empty($_COOKIE[session_name()]) && empty($value))) { - return TRUE; - } - $result = db_query("SELECT sid FROM {sessions} WHERE sid = '%s'", $key); if (!db_num_rows($result)) { - // Only save session data when when the browser sends a cookie. This keeps - // crawlers out of session table. This reduces memory and server load, - // and gives more useful statistics. We can't eliminate anonymous session - // table rows without breaking throttle module and "Who's Online" block. - if ($user->uid || $value || count($_COOKIE)) { - db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time()); - } + db_query("INSERT INTO {sessions} (sid, uid, cache, hostname, session, timestamp) VALUES ('%s', %d, %d, '%s', '%s', %d)", $key, $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time()); } else { db_query("UPDATE {sessions} SET uid = %d, cache = %d, hostname = '%s', session = '%s', timestamp = %d WHERE sid = '%s'", $user->uid, $user->cache, $_SERVER["REMOTE_ADDR"], $value, time(), $key); @@ -91,15 +73,6 @@ function sess_regenerate() { $old_session_id = session_id(); - // We code around http://bugs.php.net/bug.php?id=32802 by destroying - // the session cookie by setting expiration in the past (a negative - // value). This issue only arises in PHP versions before 4.4.0, - // regardless of the Drupal configuration. - // TODO: remove this when we require at least PHP 4.4.0 - if (isset($_COOKIE[session_name()])) { - setcookie(session_name(), '', time() - 42000, '/'); - } - session_regenerate_id(); db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", session_id(), $old_session_id);