diff --git a/core/lib/Drupal/Core/Session/MetadataBag.php b/core/lib/Drupal/Core/Session/MetadataBag.php index 8142284348..57d20583e8 100644 --- a/core/lib/Drupal/Core/Session/MetadataBag.php +++ b/core/lib/Drupal/Core/Session/MetadataBag.php @@ -56,4 +56,13 @@ public function stampNew($lifetime = NULL) { unset($this->meta[static::CSRF_TOKEN_SEED]); } + + /** + * Clear the CSRF token seed. + */ + public function clearCsrfTokenSeed() { + @trigger_error('Calling ' . __METHOD__ . '() is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. Use $this->clearCsrfTokenSeed instead. See https://www.drupal.org/node/3187914', E_USER_DEPRECATED); + unset($this->meta[static::CSRF_TOKEN_SEED]); + } + } diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php index 35c91808e7..4b865201c1 100644 --- a/core/lib/Drupal/Core/Session/SessionManager.php +++ b/core/lib/Drupal/Core/Session/SessionManager.php @@ -134,6 +134,25 @@ public function start() { return $result; } + /** + * {@inheritdoc} + */ + public function getId() { + $id = $this->saveHandler->getId(); + + // Some code might rely on the existence of a session ID, before we even had + // a real session, which was supported by previous versions. + // We generate a random session ID here, but also throw a deprecation + // as you should never get to this point. + if (empty($id)) { + // Randomly generate a session identifier for this request. + @trigger_error('Calling ' . __METHOD__ . '() outside of an actual existing session is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. This is often used for anonymous users. See https://www.drupal.org/node/3006306', E_USER_DEPRECATED); + $this->setId(Crypt::randomBytesBase64()); + } + return $this->saveHandler->getId(); + } + + /** * Forcibly start a PHP session. * diff --git a/core/tests/Drupal/Tests/Core/Session/MetadataBagTest.php b/core/tests/Drupal/Tests/Core/Session/MetadataBagTest.php new file mode 100644 index 0000000000..2f9728c0b5 --- /dev/null +++ b/core/tests/Drupal/Tests/Core/Session/MetadataBagTest.php @@ -0,0 +1,25 @@ +expectDeprecation('Calling Drupal\Core\Session\MetadataBag::clearCsrfTokenSeed() is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. Use $this->clearCsrfTokenSeed instead. See https://www.drupal.org/node/3187914'); + + $metadata = new MetadataBag(new Settings([])); + $metadata->clearCsrfTokenSeed(); + } + + +} diff --git a/core/tests/Drupal/Tests/Core/Session/SessionManagerTest.php b/core/tests/Drupal/Tests/Core/Session/SessionManagerTest.php new file mode 100644 index 0000000000..7aaedf6778 --- /dev/null +++ b/core/tests/Drupal/Tests/Core/Session/SessionManagerTest.php @@ -0,0 +1,54 @@ +createMock(Connection::class); + $session_configuration = $this->createMock(SessionConfigurationInterface::class); + $session_manager = new SessionManager( + new RequestStack(), + $connection, + new MetadataBag(new Settings([])), + $session_configuration, + new FakeAbstractProxy() + ); + + $this->expectDeprecation('Calling Drupal\Core\Session\SessionManager::getId() outside of an actual existing session is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. This is often used for anonymous users. See https://www.drupal.org/node/3006306'); + $this->assertNotEmpty($session_manager->getId()); + } + +} + +class FakeAbstractProxy extends AbstractProxy { + + /** + * Stores the fake session ID. + * + * @var string + */ + protected $id; + + public function setId($id) { + $this->id = $id; + } + + public function getId() { + return $this->id; + } + + +}