Download & Extend
Masquerade » Issues

Needless session creation = incompatible with Pressflow

Posted by joshk on September 10, 2010 at 10:11pm
Project:Masquerade
Version:6.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:claudiu.cristea
Status:closed (duplicate)

Issue Summary

Masquerade's hook_init has an incompatibility with Pressflow in that it initializes a $_SESSION for every pageload whether this is necessary or not:

<?php
/**
* Implementation of hook_init().
*/
function masquerade_init() {
  global $user;

  // load from table uid + session id
  $uid = db_result(db_query("SELECT uid_from FROM {masquerade} WHERE sid = '%s' AND uid_as = %d", session_id(), $user->uid));
  // using if so that we get unset rather than false if not masqing
  if ($uid) {
    $_SESSION['masquerading'] = $uid;
  }
  else {
    $_SESSION['masquerading'] = null;
  }
}
?>

I believe the fix is as simple as changing the else statement to be like:

<?php
  elseif (isset($_SESSION['masquerading'])) {
    $_SESSION['masquerading'] = NULL;
  }
?>

Patch is attached.

AttachmentSize
masquerade_pressflow_compatibility.patch573 bytes
Login or register to post comments

Comments

#1

Posted by mrfelton on September 23, 2010 at 9:16am

Lets get this committed!

#2

Posted by deekayen on September 23, 2010 at 12:14pm
Version:6.x-1.4» 6.x-1.x-dev
Status:active» fixed

Committed to DRUPAL-6--1. HEAD and DRUPAL-5 do this process differently, so I didn't apply it there.

#3

Posted by deviantintegral on September 23, 2010 at 4:32pm
Status:fixed» patch (to be ported)

Just to confirm, this is a duplicate of #705858: Don't create session var when not masqerading?

Marking as to be ported to remind myself to double check this against HEAD.

#4

Posted by claudiu.cristea on October 29, 2010 at 9:00am
Category:feature request» bug report
Assigned to:joshk» claudiu.cristea
Status:patch (to be ported)» active

Right now, with the code from DRUPAL-6--1 when we masquerade as Anonymous (UID = 0) we are loosing the source user in $_SESSION['masquerade'] because the code from hook_init() triggers only when user_is_logged_in().

#5

Posted by claudiu.cristea on October 29, 2010 at 10:22am
Status:active» needs review

Here's a patch that strips out session variable $_SESSION['masquerading'] when the current user is not masque (not set through Masquerade). The result is that when not masquerading there will be no $_SESSION['masquerading'] variable.

When masquerading there will be a $_SESSION['masquerading'] variable even if masquerading as Anonymous. And this is the right behavior even on Pressflow.

Modified also all occurrences of $_SESSION['masquerading'] to make the code PHP 5.3 safe.

AttachmentSize
masquerade-no-sess-for-anon.patch 5.25 KB

#6

Posted by deekayen on October 29, 2010 at 6:15pm
Status:needs review» needs work

Isn't it safe to unset something that's not set? Can if (isset($_SESSION['masquerading'])) { be removed in the init()?

#7

Posted by deekayen on October 29, 2010 at 6:39pm
Status:needs work» closed (duplicate)

There are more subscribers on the older issue: #705858: Don't create session var when not masqerading