mahara-contributors team mailing list archive

Thread
Date

[Bug 1570744] A change has been merged

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Mahara Bot <1570744@xxxxxxxxxxxxxxxxxx>
Date: Mon, 18 Apr 2016 05:02:50 -0000
Reply-to: Bug 1570744 <1570744@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://reviews.mahara.org/6348
Committed: https://git.mahara.org/mahara/mahara/commit/83ec33f245b645e58d797fb1b2316d11e369119d
Submitter: Aaron Wells (aaronw@xxxxxxxxxxxxxxx)
Branch:    master

commit 83ec33f245b645e58d797fb1b2316d11e369119d
Author: Aaron Wells <aaronw@xxxxxxxxxxxxxxx>
Date:   Fri Apr 15 20:12:17 2016 +1200

Bug 1570744: Fixing session bugs

This patch does 2 things:

1. It loads the session much earlier during init.php. We wind
up creating one on *every* script load anyway, due to LiveUser's
constructor. Sometimes it gets created earlier if other code
tries to use it before then, which adds some unpredictability
to things. Moving it up to the top of init.php reduces that
unpredictability.

2. It turns out that in PHP 5.3, using header_remove('Set-Cookie')
to only doesn't remove session headers. But header_remove()
(with no params) to remove *all* cookies does remove them. So
I'm changing remove_duplicate_cookies() to use that instead.

3. Also in PHP 5.3, session headers are visible in headers_list().
In situations where your session id changes (due to session_destroy()
and session_regenerate_id()), our use of array_unique() meant we
would preserve the old and new session IDs and send both back
to the browser. This patch makes remove_duplicate_cookies() aware
of the current session ID, and it only preserves that one.

Change-Id: I7a90b8692a5f97429415aa9a17451a44cd2109dd
behatnotneeded: Covered by existing tests

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1570744

Title:
  Duplicate session headers not removed in PHP 5.3

Status in Mahara:
  In Progress
Status in Mahara 1.10 series:
  In Progress
Status in Mahara 15.04 series:
  In Progress
Status in Mahara 15.10 series:
  In Progress
Status in Mahara 16.04 series:
  In Progress
Status in Mahara 16.10 series:
  In Progress

Bug description:
  See also Bug 1570179.

  It turns out that our method clear_duplicate_cookies() doesn't work in
  PHP 5.3, because the behavior of session headers is different there
  than in the versions of PHP we tested on. We need to rewrite the
  function to work properly in PHP 5.3, as long as we claim to support
  5.3.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1570744/+subscriptions

References

[Bug 1570744] [NEW] Duplicate session headers not removed in PHP 5.3
From: Aaron Wells, 2016-04-15