Problem/Motivation

Users can implement their own custom session handler systems by setting the 'session_inc' variable to something other than the default "includes/session.inc". This setting isn't respected by authorize.php however, which has a hard coded include to "includes/session.inc".

This leads to either fatal errors (if the custom session handler doesn't check if the default handler is loaded) or failed session loading (if it does check).

Proposed resolution

Remove hard coded include to "includes/session.inc" in authorize.php and let the session handler be loaded properly by the bootstrap process.

Remaining tasks

  1. Write patch for D7 and D8.
  2. Community to test patch(es) #1.
    1. Install Drupal 7 or 8 – standard profile
    2. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    3. Ensure that the message "It appears you have reached this page in error." appears.
    4. Create the file '/custom_session.inc' with the following contents:
      <?php
      
      function drupal_session_initialize() {
        echo('Custom session handler was called.');
        exit();
      }
      
    5. Add the following line to /sites/default/settings.php:
      $conf['session_inc'] = 'custom_session.inc';
      
    6. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    7. Ensure that the fatal error "Cannot redeclare drupal_session_initialize()" occurs.
    8. Apply relevant patch #1.
    9. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    10. Ensure that the message "Custom session handler was called." appears.

  3. Commit patches to D7 and D8.

User interface changes

None.

API changes

None.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Akaoni’s picture

D7 and D8 patches:

Akaoni’s picture

Version: 8.x-dev » 7.x-dev

Change to D7 to test patch.

Akaoni’s picture

Akaoni’s picture

Version: 7.x-dev » 8.x-dev

Back to D8.

Akaoni’s picture

Issue tags: +Novice

Updated issue summary and added test plan.

ryan.gibson’s picture

Status: Needs review » Reviewed & tested by the community

I followed the steps listed, the patch in #1 applied cleanly. After applying the patch, I got the "Custom session handler was called." text.

ryan.gibson’s picture

I should have clarified, I test both the D8 and D7 patches and got the same results.

Dries’s picture

This seems like the correct fix. Leaving it as RTBC for more people to review.

Akaoni’s picture

@ryanissamson: Thanks for testing this, mate!! ;)

@Dries: Thanks for weighing in!!

catch’s picture

Version: 8.x-dev » 7.x-dev
Status: Reviewed & tested by the community » Needs review

Looks good to me. Committed/pushed to 8.x. CNR for 7.x.

Akaoni’s picture

Status: Needs review » Reviewed & tested by the community

Thanks catch.

As stated in #8, this has already been reviewed and tested for D7.

Akaoni’s picture

Issue summary: View changes

Patches written.
Added test plan.

David_Rothstein’s picture

Status: Reviewed & tested by the community » Fixed
David_Rothstein’s picture

Issue summary: View changes

Updated remaining tasks.

Automatically closed -- issue fixed for 2 weeks with no activity.

Anonymous’s picture

Issue summary: View changes

Update remaining tasks.