? sites/default/files
? sites/default/private
? sites/default/settings.php
Index: includes/session.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/session.inc,v
retrieving revision 1.72
diff -u -p -r1.72 session.inc
--- includes/session.inc	28 Sep 2009 22:22:54 -0000	1.72
+++ includes/session.inc	27 Oct 2009 17:26:00 -0000
@@ -151,14 +151,17 @@ function _drupal_session_write($sid, $va
     'session' => $value,
     'timestamp' => REQUEST_TIME,
   );
-  $insecure_session_name = substr(session_name(), 1);
-  if ($is_https && isset($_COOKIE[$insecure_session_name])) {
-    $fields['sid'] = $_COOKIE[$insecure_session_name];
-  }
-  db_merge('sessions')
-    ->key(array($is_https ? 'ssid' : 'sid' => $sid))
-    ->fields($fields)
-    ->execute();
+  $key = array('sid' => $sid);
+  if ($is_https) {
+    $key['ssid'] = $sid;
+    $insecure_session_name = substr(session_name(), 1);
+    // If the "secure pages" setting is enabled, use the insecure session
+    // identifier as the sid.
+    if (variable_get('https', FALSE) && isset($_COOKIE[$insecure_session_name])) {
+      $key['sid'] = $_COOKIE[$insecure_session_name];
+    }
+  }
+  db_merge('sessions')->key($key)->fields($fields)->execute();
 
   // Last access time is updated no more frequently than once every 180 seconds.
   // This reduces contention in the users table.
Index: modules/simpletest/tests/session.test
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/session.test,v
retrieving revision 1.18
diff -u -p -r1.18 session.test
--- modules/simpletest/tests/session.test	5 Sep 2009 13:05:30 -0000	1.18
+++ modules/simpletest/tests/session.test	27 Oct 2009 17:26:00 -0000
@@ -272,18 +272,60 @@ class SessionHttpsTestCase extends Drupa
     global $is_https;
 
     if ($is_https) {
+      $secure_session_name = session_name();
+      $insecure_session_name = substr(session_name(), 1);
+    }
+    else {
+      $secure_session_name = 'S' . session_name();
+      $insecure_session_name = session_name();
+    }
+
+    $user = $this->drupalCreateUser(array('access administration pages'));
+
+    // Test HTTPS session handling without enabling the "secure pages" setting.
+    $this->drupalGet('user/login');
+    $form = $this->xpath('//form[@id="user-login"]');
+    $form[0]['action'] = $this->httpsUrl('user/login');
+    $this->drupalPost(NULL, array('name' => $user->name, 'pass' => $user->pass_raw), t('Log in'));
+
+    // Test a second concurrent session.
+    $this->curlClose();
+    $this->drupalGet('user/login');
+    $form = $this->xpath('//form[@id="user-login"]');
+    $form[0]['action'] = $this->httpsUrl('user/login');
+    $this->drupalPost(NULL, array('name' => $user->name, 'pass' => $user->pass_raw), t('Log in'));
+
+    // Check secure cookie on secure page.
+    $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute');
+    // Check insecure cookie is not set.
+    $this->assertFalse(isset($this->cookies[$insecure_session_name]));
+    $args = array_fill_keys(array(':sid', ':ssid'), $this->cookies[$secure_session_name]['value']);
+    $this->assertTrue(db_query('SELECT sid FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), 'Session has both SIDs');
+    $cookie = $secure_session_name . '=' . $args[':ssid'];
+
+    // Verify that user is logged in on secure URL.
+    $this->curlClose();
+    $this->drupalGet($this->httpsUrl('admin'), array(), array('Cookie: ' . $cookie));
+    $this->assertText(t('Administer'));
+
+    // Verify that user is not logged in on non-secure URL.
+    if (!$is_https) {
+      $this->curlClose();
+      $this->drupalGet('admin', array(), array('Cookie: ' . $cookie));
+      $this->assertNoText(t('Administer'));
+    }
+
+    // Clear browser cookie jar.
+    $this->cookies = array();
+
+    if ($is_https) {
       // The functionality does not make sense when running on https.
       return;
     }
 
-    $insecure_session_name = session_name();
-    $secure_session_name = "S$insecure_session_name";
-
     // Enable secure pages.
     variable_set('https', TRUE);
 
-    $user = $this->drupalCreateUser(array('access administration pages'));
-
     $this->curlClose();
     $this->drupalGet('session-test/set/1');
     // Check secure cookie on insecure page.
Index: modules/simpletest/tests/session_test.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/session_test.module,v
retrieving revision 1.13
diff -u -p -r1.13 session_test.module
--- modules/simpletest/tests/session_test.module	15 Oct 2009 16:18:45 -0000	1.13
+++ modules/simpletest/tests/session_test.module	27 Oct 2009 17:26:00 -0000
@@ -158,5 +158,8 @@ function session_test_form_user_login_al
  */
 function session_test_drupal_goto_alter(&$path, &$options, &$http_response_code) {
   global $base_insecure_url;
-  $path = $base_insecure_url . '/' . $path;
+  // Alter the redirect only when the "secure pages" setting is enabled.
+  if (variable_get('https', FALSE)) {
+    $path = $base_insecure_url . '/' . $path;
+  }
 }
