Summary

There is a bug in the session system that will let you load a session from a row in the sessions table with a sid and ssid. But when that session is then saved back to the database, a new record is created instead of updating the existing row.

This issue is related to #575280: Impersonation when an https session exists..

How to replicate

  1. Enable both http and https on your Drupal site. Enable /user*, /admin* and /node/*/edit to be forced over https.
  2. Login and edit an existing node. Save it and be returned to node view page served over standard http
  3. You should observe no confirmation message

This is because the messages stored in the session are being saved to the https enabled session, while the node view page is retrieving a session from the database without https support.

I'm not sure what else this patch introduces, but it does fix the problem outlined above.

CommentFileSizeAuthor
7.x-https-session-fix.patch603 bytesjosh waihi

Comments

catch’s picture

Status: Needs review » Closed (duplicate)

This looks like a duplicate of #1131986: Session handling fails on multiple switches between http / https, if you've already looked at that issue and you think it's definitely not please re-open.