diff -u b/core/includes/form.inc b/core/includes/form.inc --- b/core/includes/form.inc +++ b/core/includes/form.inc @@ -1211,11 +1211,6 @@ } } - // Ensure the correct protocol when #https is set. - if (!empty($form['#https']) && !\Drupal::request()->isSecure() && settings()->get('mixed_mode_sessions', FALSE)) { - form_set_error('', t('This form must be submitted over a secure connection.')); - } - _form_validate($form, $form_state, $form_id); $validated_forms[$form_id] = TRUE; @@ -1228,6 +1223,11 @@ } } + // Ensure the correct protocol when #https is set. + if (!empty($form['#https']) && !\Drupal::request()->isSecure() && settings()->get('mixed_mode_sessions', FALSE)) { + form_set_error('', t('This form must be submitted over a secure connection.')); + } + _form_validate($form, $form_state, $form_id); $validated_forms[$form_id] = TRUE; diff -u b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php --- b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php +++ b/core/lib/Drupal/Core/Access/CsrfTokenGenerator.php @@ -76,7 +76,7 @@ } } // Otherwise, use the session ID. - if (!empty($identifier)) { + if (empty($identifier)) { $identifier = session_id(); } return Crypt::hmacBase64($value, $identifier . $this->privateKey->get() . drupal_get_hash_salt()); diff -u b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php --- b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php +++ b/core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php @@ -223,7 +223,6 @@ $this->assertResponse(200); // Test that tokens can be shared in mixed mode. - $this->settingsSet('mixed_mode_sessions', TRUE); $this->drupalGet($this->httpUrl('session-test/shared-token')); $matches = array(); preg_match('/\s*sharedToken:(.*)\n/', $this->drupalGetContent(), $matches); diff -u b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/Controller/SessionTestController.php b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/Controller/SessionTestController.php --- b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/Controller/SessionTestController.php +++ b/core/modules/system/tests/modules/session_test/lib/Drupal/session_test/Controller/SessionTestController.php @@ -144,5 +144,5 @@ */ public function sharedToken() { - return 'sharedToken:' . \Drupal::csrfToken()->get($value); + return 'sharedToken:' . \Drupal::csrfToken()->get(); } }