mirror of
https://github.com/silverstripe/silverstripe-framework
synced 2024-10-22 12:05:37 +00:00
#8543 Resolve Duplicate Headers
- Replace session name lookup with function to also check secure cookies - Added timeout which defaults to 0 (same as PHP) - Removed php7 style of session_start from PR - moved session_start into headers sent block to prevent warnings.
This commit is contained in:
parent
4eb6669c08
commit
1edfa4d956
@ -301,43 +301,35 @@ class Session
|
|||||||
// If the session cookie is already set, then the session can be read even if headers_sent() = true
|
// If the session cookie is already set, then the session can be read even if headers_sent() = true
|
||||||
// This helps with edge-case such as debugging.
|
// This helps with edge-case such as debugging.
|
||||||
$data = [];
|
$data = [];
|
||||||
if (!session_id() && (!headers_sent() || !empty($_COOKIE[ini_get('session.name')]))) {
|
if (!session_id() && (!headers_sent() || $this->requestContainsSessionId($request))) {
|
||||||
if (!headers_sent()) {
|
if (!headers_sent()) {
|
||||||
session_set_cookie_params($timeout, $path, $domain ?: null, $secure, true);
|
session_set_cookie_params($timeout ?: 0, $path, $domain ?: null, $secure, true);
|
||||||
|
|
||||||
$limiter = $this->config()->get('sessionCacheLimiter');
|
$limiter = $this->config()->get('sessionCacheLimiter');
|
||||||
if (isset($limiter)) {
|
if (isset($limiter)) {
|
||||||
session_cache_limiter($limiter);
|
session_cache_limiter($limiter);
|
||||||
}
|
}
|
||||||
|
|
||||||
// If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
|
// Allow storing the session in a non standard location
|
||||||
|
if ($session_path) {
|
||||||
|
session_save_path($session_path);
|
||||||
|
}
|
||||||
|
|
||||||
|
// If we want a secure cookie for HTTPS, use a separate session name. This lets us have a
|
||||||
|
// separate (less secure) session for non-HTTPS requests
|
||||||
|
// if headers_sent() is true then it's best to throw the resulting error rather than risk
|
||||||
|
// a security hole.
|
||||||
|
if ($secure) {
|
||||||
|
session_name($this->config()->get('cookie_name_secure'));
|
||||||
|
}
|
||||||
|
|
||||||
|
session_start();
|
||||||
|
|
||||||
} else {
|
} else {
|
||||||
|
// If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
|
||||||
session_cache_limiter(null);
|
session_cache_limiter(null);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Allow storing the session in a non standard location
|
|
||||||
if ($session_path) {
|
|
||||||
session_save_path($session_path);
|
|
||||||
}
|
|
||||||
|
|
||||||
// If we want a secure cookie for HTTPS, use a separate session name. This lets us have a
|
|
||||||
// separate (less secure) session for non-HTTPS requests
|
|
||||||
// if headers_sent() is true then it's best to throw the resulting error rather than risk
|
|
||||||
// a security hole.
|
|
||||||
if ($secure) {
|
|
||||||
session_name($this->config()->get('cookie_name_secure'));
|
|
||||||
}
|
|
||||||
|
|
||||||
$sessionParameters = [
|
|
||||||
"cookie_path" => $path,
|
|
||||||
"cookie_domain" => $domain ?: "",
|
|
||||||
"cookie_lifetime" => $timeout ?: 0,
|
|
||||||
"cookie_secure" => $secure,
|
|
||||||
"cookie_httponly" => true
|
|
||||||
];
|
|
||||||
|
|
||||||
session_start($sessionParameters);
|
|
||||||
|
|
||||||
if (isset($_SESSION)) {
|
if (isset($_SESSION)) {
|
||||||
// Initialise data from session store if present
|
// Initialise data from session store if present
|
||||||
$data = $_SESSION;
|
$data = $_SESSION;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user