? sites/default/files
? sites/default/private
? sites/default/settings.php
Index: includes/session.inc
===================================================================
RCS file: /cvs/drupal/drupal/includes/session.inc,v
retrieving revision 1.71
diff -u -p -r1.71 session.inc
--- includes/session.inc	5 Sep 2009 13:05:30 -0000	1.71
+++ includes/session.inc	14 Sep 2009 08:30:25 -0000
@@ -152,8 +152,11 @@ function _drupal_session_write($sid, $va
     'timestamp' => REQUEST_TIME,
   );
   $insecure_session_name = substr(session_name(), 1);
-  if ($is_https && isset($_COOKIE[$insecure_session_name])) {
-    $fields['sid'] = $_COOKIE[$insecure_session_name];
+  if ($is_https) {
+    // Saving an empty sid causes a duplicate key error and would be a
+    // security vulnerability, so set the sid to either the insecure session
+    // identifier or, if not available, the secure session identifier.
+    $fields['sid'] = isset($_COOKIE[$insecure_session_name]) ? $_COOKIE[$insecure_session_name] : $sid;
   }
   db_merge('sessions')
     ->key(array($is_https ? 'ssid' : 'sid' => $sid))
Index: modules/simpletest/tests/session_test.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/simpletest/tests/session_test.module,v
retrieving revision 1.12
diff -u -p -r1.12 session_test.module
--- modules/simpletest/tests/session_test.module	11 Sep 2009 04:45:23 -0000	1.12
+++ modules/simpletest/tests/session_test.module	14 Sep 2009 08:30:25 -0000
@@ -158,5 +158,9 @@ function session_test_form_user_login_al
  */
 function session_test_drupal_goto_alter(&$args) {
   global $base_insecure_url;
-  $args['path'] = $base_insecure_url . '/' . $args['path'];
+  // Alter the redirect only during the session HTTPS handling test, which
+  // enables the secure pages setting.
+  if (variable_get('https', FALSE)) {
+    $args['path'] = $base_insecure_url . '/' . $args['path'];
+  }
 }
