diff -u b/includes/session.inc b/includes/session.inc --- b/includes/session.inc +++ b/includes/session.inc @@ -91,17 +91,17 @@ // that is in the user's cookie is hashed before being stored in the database // as a security measure. Thus, we have to hash it to match the database. if ($is_https) { - $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => drupal_hash_base64($sid)))->fetchObject(); + $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => drupal_session_id($sid)))->fetchObject(); if (!$user) { if (isset($_COOKIE[$insecure_session_name])) { $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array( - ':sid' => drupal_hash_base64($_COOKIE[$insecure_session_name]))) + ':sid' => drupal_session_id($_COOKIE[$insecure_session_name]))) ->fetchObject(); } } } else { - $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => drupal_hash_base64($sid)))->fetchObject(); + $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => drupal_session_id($sid)))->fetchObject(); } // We found the client's session record and they are an authenticated, @@ -187,10 +187,10 @@ // Use the session ID as 'sid' and an empty string as 'ssid' by default. // _drupal_session_read() does not allow empty strings so that's a safe // default. - $key = array('sid' => drupal_hash_base64($sid), 'ssid' => ''); + $key = array('sid' => drupal_session_id($sid), 'ssid' => ''); // On HTTPS connections, use the session ID as both 'sid' and 'ssid'. if ($is_https) { - $key['ssid'] = drupal_hash_base64($sid); + $key['ssid'] = drupal_session_id($sid); // The "secure pages" setting allows a site to simultaneously use both // secure and insecure session cookies. If enabled and both cookies are // presented then use both keys. The session ID from the cookie is @@ -198,7 +198,7 @@ if (variable_get('https', FALSE)) { $insecure_session_name = substr(session_name(), 1); if (isset($_COOKIE[$insecure_session_name])) { - $key['sid'] = drupal_hash_base64($_COOKIE[$insecure_session_name]); + $key['sid'] = drupal_session_id($_COOKIE[$insecure_session_name]); } } } @@ -419,18 +419,18 @@ 'httponly' => $params['httponly'], ); drupal_setcookie(session_name(), session_id(), $options); - $fields = array('sid' => drupal_hash_base64(session_id())); + $fields = array('sid' => drupal_session_id(session_id())); if ($is_https) { - $fields['ssid'] = drupal_hash_base64(session_id()); + $fields['ssid'] = drupal_session_id(session_id()); // If the "secure pages" setting is enabled, use the newly-created // insecure session identifier as the regenerated sid. if (variable_get('https', FALSE)) { - $fields['sid'] = drupal_hash_base64($session_id); + $fields['sid'] = drupal_session_id($session_id); } } db_update('sessions') ->fields($fields) - ->condition($is_https ? 'ssid' : 'sid', drupal_hash_base64($old_session_id)) + ->condition($is_https ? 'ssid' : 'sid', drupal_session_id($old_session_id)) ->execute(); } elseif (isset($old_insecure_session_id)) { @@ -438,8 +438,8 @@ // secure site but a session was active on the insecure site, update the // insecure session with the new session identifiers. db_update('sessions') - ->fields(array('sid' => drupal_hash_base64($session_id), 'ssid' => drupal_hash_base64(session_id()))) - ->condition('sid', drupal_hash_base64($old_insecure_session_id)) + ->fields(array('sid' => drupal_session_id($session_id), 'ssid' => drupal_session_id(session_id()))) + ->condition('sid', drupal_session_id($old_insecure_session_id)) ->execute(); } else { @@ -491,7 +491,7 @@ // Delete session data. db_delete('sessions') - ->condition($is_https ? 'ssid' : 'sid', drupal_hash_base64($sid)) + ->condition($is_https ? 'ssid' : 'sid', drupal_session_id($sid)) ->execute(); // Reset $_SESSION and $user to prevent a new session from being started @@ -601,3 +601,11 @@ } return $save_session; } + +require_once DRUPAL_ROOT . '/includes/install.inc'; +function drupal_session_id($id) { + if (variable_get('hash_session_ids', TRUE) && drupal_get_installed_schema_version('system') >= 7086) { + $id = drupal_hash_base64($id); + } + return $id; +} diff -u b/modules/system/system.install b/modules/system/system.install --- b/modules/system/system.install +++ b/modules/system/system.install @@ -3385,21 +3385,23 @@ db_change_field('sessions', 'ssid', 'ssid', $spec, array('primary key' => array('sid', 'ssid'))); // Update all existing sessions. - $sessions = db_query('SELECT sid, ssid FROM {sessions}'); - while ($session = $sessions->fetchAssoc()) { - $query = db_update('sessions'); - $fields = array(); - if (!empty($session['sid'])) { - $fields['sid'] = drupal_hash_base64($session['sid']); - $query->condition('sid', $session['sid']); + if (variable_get('hash_session_ids', TRUE)) { + $sessions = db_query('SELECT sid, ssid FROM {sessions}'); + while ($session = $sessions->fetchAssoc()) { + $query = db_update('sessions'); + $fields = array(); + if (!empty($session['sid'])) { + $fields['sid'] = drupal_hash_base64($session['sid']); + $query->condition('sid', $session['sid']); + } + if (!empty($session['ssid'])) { + $fields['ssid'] = drupal_hash_base64($session['ssid']); + $query->condition('ssid', $session['ssid']); + } + $query + ->fields($fields) + ->execute(); } - if (!empty($session['ssid'])) { - $fields['ssid'] = drupal_hash_base64($session['ssid']); - $query->condition('ssid', $session['ssid']); - } - $query - ->fields($fields) - ->execute(); } }