Fix session handling issue

I was looking for differences between user_logout() in drupal and pressflow, they are the same, except that in pressflow modules hooks are called before session_destroy().

So I wonder if the problem you've outlined can be solved in a similar way way.

The patch submitted with this issue resolved the Fatal Error I was receiving with Legal module enabled on Pressflow. It would be great to have Legal work out of box with Pressflow.

In my last post I changed the status. I hope I am not out of line changing that based on my testing and through brianV response. Let me know if I should have handled the status differently.

Just committed http://drupal.org/node/560548#comment-3420386 to 6.x-2.4-rc2

Does it fix the Pressflow issue reported here, or is it a different issue?

The bug still exists in 6.x-2.4-rc. Adding session_regenerate() did not remove the fatal error.

The error was removed when the patch code was added back into the module file.

<?php
session_set_save_handler('sess_open', 'sess_close', 'sess_read', 'sess_write', 'sess_destroy_sid', 'sess_gc');
?>

I just installed:
pressflow-6.20.97
legal-6.x-2.4-rc2
checkbox_validate-6.x-2.1

Tested on MAMP, PHP 5.2

Could not reproduce the issue.

I tried running the Legal tests, and also tried manual tests of registration, changing T&Cs then logging out and back in with test user.

Could someone test with the above components and let me know if they experience an issue what steps they took to get to the issue.

Maybe the problem is specific to a particular system set up?

I can confirm that I have the same problem, the solution suggested works. The problem on my site occurs mostly when generating a lost password url - on clicking that url, the user gets a blank screen and I get that message in my error log. The site uses pressflow. I should also say that it wasn't consistently reproduceable, it seemed to happen only with some users [maybe only new ones?].

so all usual Legal functions work, just lost password feature sometimes shows white screen of death?

You sure that's a Legal bug?

I can't admit to fully understanding the session issues, but I used the patch back in December and it worked, but an update to the legal module in January not only broke the patch, but made the patch not work completely.

More specifically, first time logins timed out, and it was at the point of the legal module where the session is destroyed that was the cause. I've just tried the following code in around line 435 of legal.module, which seems to work:

     // module_invoke_all('user', 'logout', NULL, $user);
      // Only variables can be passed by reference workaround.
      $null = NULL;
      user_module_invoke('logout', $null, $user);

      // Destroy the current session.
      if (function_exists('drupal_session_destroy')) {
        drupal_session_destroy();
      }
      else {
        session_destroy();
      }
      // We have to use $GLOBALS to unset a global variable.
      // Load the anonymous user
      $user = drupal_anonymous_user();

though I haven't been diligent in figuring out which piece works. My thoughts are:

1. i looked at the user module logout and saw that it uses the user_module_invoke function instead of module_invoke_all, so just tried that. My guess is this is the key piece, though I've been to lazy to figure out why.

2. i modified the original patch to just use the pressflow function that does what the patch did [just my fiddling, not relevant to the problem]

3. i loaded the anonymous user the same way that the user module does, which looks like it might be faster and safer than how the legal module was doing it [because using user_load might trigger additional things].

Conclusion: sorry, not a well-formed patch, but maybe some useful pieces for anyone with a similar problem and perhaps those of you who better understand the session issues can see what's going on here.

I've added the patch in #1 to the master version of Legal, will role out a release soon.