Merge pull request #8639 from caffeineinc/bugfix/4-duplicate-session-headers-8543
Stop duplicate session cookies on every request.
This commit is contained in:
Serge Latyntsev
GitHub
commit
600918fe39
|
|
@ -300,55 +300,46 @@ class Session
|
|||
|
||||
// If the session cookie is already set, then the session can be read even if headers_sent() = true
|
||||
// This helps with edge-case such as debugging.
|
||||
if (!session_id() && (!headers_sent() || !empty($_COOKIE[ini_get('session.name')]))) {
|
||||
$data = [];
|
||||
if (!session_id() && (!headers_sent() || $this->requestContainsSessionId($request))) {
|
||||
if (!headers_sent()) {
|
||||
session_set_cookie_params($timeout, $path, $domain ?: null, $secure, true);
|
||||
session_set_cookie_params($timeout ?: 0, $path, $domain ?: null, $secure, true);
|
||||
|
||||
$limiter = $this->config()->get('sessionCacheLimiter');
|
||||
if (isset($limiter)) {
|
||||
session_cache_limiter($limiter);
|
||||
}
|
||||
|
||||
// If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
|
||||
// Allow storing the session in a non standard location
|
||||
if ($session_path) {
|
||||
session_save_path($session_path);
|
||||
}
|
||||
|
||||
// If we want a secure cookie for HTTPS, use a separate session name. This lets us have a
|
||||
// separate (less secure) session for non-HTTPS requests
|
||||
// if headers_sent() is true then it's best to throw the resulting error rather than risk
|
||||
// a security hole.
|
||||
if ($secure) {
|
||||
session_name($this->config()->get('cookie_name_secure'));
|
||||
}
|
||||
|
||||
session_start();
|
||||
} else {
|
||||
// If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
|
||||
session_cache_limiter(null);
|
||||
}
|
||||
|
||||
// Allow storing the session in a non standard location
|
||||
if ($session_path) {
|
||||
session_save_path($session_path);
|
||||
}
|
||||
|
||||
// If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
|
||||
// seperate (less secure) session for non-HTTPS requests. Note that if this causes problems
|
||||
// if headers_sent() is true then it's best to throw the resulting error rather than risk
|
||||
// a security hole.
|
||||
if ($secure) {
|
||||
session_name($this->config()->get('cookie_name_secure'));
|
||||
}
|
||||
|
||||
session_start();
|
||||
|
||||
if (isset($_SESSION)) {
|
||||
// Initialise data from session store if present
|
||||
$data = $_SESSION;
|
||||
|
||||
// Merge in existing in-memory data, taking priority over session store data
|
||||
$this->recursivelyApply((array)$this->data, $data);
|
||||
} else {
|
||||
// Use in-memory data if the session is lazy started
|
||||
$data = $this->data;
|
||||
}
|
||||
$this->data = $data ?: [];
|
||||
} else {
|
||||
$this->data = [];
|
||||
}
|
||||
|
||||
// Modify the timeout behaviour so it's the *inactive* time before the session expires.
|
||||
// By default it's the total session lifetime
|
||||
if ($timeout && !headers_sent()) {
|
||||
Cookie::set(session_name(), session_id(), $timeout/86400, $path, $domain ? $domain
|
||||
: null, $secure, true);
|
||||
}
|
||||
// Save any modified session data back to the session store if present, otherwise initialise it to an array.
|
||||
$this->data = $data;
|
||||
|
||||
$this->started = true;
|
||||
}
|
||||
|
|
@ -438,7 +429,7 @@ class Session
|
|||
}
|
||||
|
||||
$var[] = $val;
|
||||
$diffVar[sizeof($var)-1] = $val;
|
||||
$diffVar[sizeof($var) - 1] = $val;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue