Mahara

  1. Bug #1570744
  2. Comment #13

Comment 13 for bug 1570744

Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/6369
Committed: https://git.mahara.org/mahara/mahara/commit/6d469bd61156ceabdfee10291d0af6b096b2309d
Submitter: Aaron Wells (<email address hidden>)
Branch: 15.10_STABLE

commit 6d469bd61156ceabdfee10291d0af6b096b2309d
Author: Aaron Wells <email address hidden>
Date: Fri Apr 15 20:12:17 2016 +1200

Bug 1570744: Fixing session bugs

This patch does 2 things:

1. It loads the session much earlier during init.php. We wind
up creating one on *every* script load anyway, due to LiveUser's
constructor. Sometimes it gets created earlier if other code
tries to use it before then, which adds some unpredictability
to things. Moving it up to the top of init.php reduces that
unpredictability.

2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
to only doesn't remove session headers. But header_remove()
(with no params) to remove *all* cookies does remove them. So
I'm changing remove_duplicate_cookies() to use that instead.

3. Also in PHP 5.3, session headers are visible in headers_list().
In situations where your session id changes (due to session_destroy()
and session_regenerate_id()), our use of array_unique() meant we
would preserve the old and new session IDs and send both back
to the browser. This patch makes remove_duplicate_cookies() aware
of the current session ID, and it only preserves that one.

Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
behatnotneeded: Covered by existing tests
(cherry picked from commit 83ec33f245b645e58d797fb1b2316d11e369119d)