Users can implement their own custom session handler systems by setting the 'session_inc' variable to something other than the default "includes/". This setting isn't respected by authorize.php however, which has a hard coded include to "includes/".

This leads to either fatal errors (if the custom session handler doesn't check if the default handler is loaded) or failed session loading (if it does check).

Proposed resolution

Remove hard coded include to "includes/" in authorize.php and let the session handler be loaded properly by the bootstrap process.

Remaining tasks

  1. Write patch for D7 and D8.
  2. Community to test patch(es) #1.
    1. Install Drupal 7 or 8 – standard profile
    2. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    3. Ensure that the message "It appears you have reached this page in error." appears.
    4. Create the file '/' with the following contents:
      function drupal_session_initialize() {
        echo('Custom session handler was called.');
    5. Add the following line to /sites/default/settings.php:
      $conf['session_inc'] = '';
    6. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    7. Ensure that the fatal error "Cannot redeclare drupal_session_initialize()" occurs.
    8. Apply relevant patch #1.
    9. Go to authorize.php (D7: /authorize.php; D8: /core/authorize.php)
    10. Ensure that the message "Custom session handler was called." appears.

  3. Commit patches to D7 and D8.

User interface changes


API changes


#1 D7_core-authorize.php_sessions-1399168-2.patch482 bytesAkaoni
PASSED: [[SimpleTest]]: [MySQL] 37,286 pass(es).
[ View ]
#1 D8_core-authorize.php_sessions-1399168-2.patch527 bytesAkaoni
PASSED: [[SimpleTest]]: [MySQL] 34,594 pass(es).
[ View ]


Status:Active» Needs review
new527 bytes
PASSED: [[SimpleTest]]: [MySQL] 34,594 pass(es).
[ View ]
new482 bytes
PASSED: [[SimpleTest]]: [MySQL] 37,286 pass(es).
[ View ]

D7 and D8 patches:

Version:8.x-dev» 7.x-dev

Change to D7 to test patch.

Version:7.x-dev» 8.x-dev

Back to D8.

Issue tags:+Novice

Updated issue summary and added test plan.

Status:Needs review» Reviewed & tested by the community

I followed the steps listed, the patch in #1 applied cleanly. After applying the patch, I got the "Custom session handler was called." text.

I should have clarified, I test both the D8 and D7 patches and got the same results.

This seems like the correct fix. Leaving it as RTBC for more people to review.

@ryanissamson: Thanks for testing this, mate!! ;)

@Dries: Thanks for weighing in!!

Version:8.x-dev» 7.x-dev
Status:Reviewed & tested by the community» Needs review

Looks good to me. Committed/pushed to 8.x. CNR for 7.x.

Status:Needs review» Reviewed & tested by the community

Thanks catch.

As stated in #8, this has already been reviewed and tested for D7.

Issue summary:View changes

Patches written.
Added test plan.

Status:Reviewed & tested by the community» Fixed

Issue summary:View changes

Updated remaining tasks.

Automatically closed -- issue fixed for 2 weeks with no activity.

Issue summary:View changes

Update remaining tasks.