Merge pull request #8639 from caffeineinc/bugfix/4-duplicate-session-headers-8543

Stop duplicate session cookies on every request.
2024-10-22 12:05:37 +00:00 · 2018-12-19 13:56:24 +13:00 · 2018-12-19 13:56:24 +13:00 · 600918fe39
commit 600918fe39
parent 7d1aa44786 d01585cc98
1 changed files with 22 additions and 31 deletions
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@ -300,27 +300,23 @@ class Session

        // If the session cookie is already set, then the session can be read even if headers_sent() = true
        // This helps with edge-case such as debugging.
-        if (!session_id() && (!headers_sent() || !empty($_COOKIE[ini_get('session.name')]))) {
+        $data = [];
+        if (!session_id() && (!headers_sent() || $this->requestContainsSessionId($request))) {
            if (!headers_sent()) {
-                session_set_cookie_params($timeout, $path, $domain ?: null, $secure, true);
+                session_set_cookie_params($timeout ?: 0, $path, $domain ?: null, $secure, true);

                $limiter = $this->config()->get('sessionCacheLimiter');
                if (isset($limiter)) {
                    session_cache_limiter($limiter);
                }

-            // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
-            } else {
-                session_cache_limiter(null);
-            }
-
                // Allow storing the session in a non standard location
                if ($session_path) {
                    session_save_path($session_path);
                }

-            // If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
-            // seperate (less secure) session for non-HTTPS requests. Note that if this causes problems
+                // If we want a secure cookie for HTTPS, use a separate session name. This lets us have a
+                // separate (less secure) session for non-HTTPS requests
                // if headers_sent() is true then it's best to throw the resulting error rather than risk
                // a security hole.
                if ($secure) {
@ -328,27 +324,22 @@ class Session
                }

                session_start();
+            } else {
+                // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
+                session_cache_limiter(null);
+            }

            if (isset($_SESSION)) {
                // Initialise data from session store if present
                $data = $_SESSION;
+
                // Merge in existing in-memory data, taking priority over session store data
                $this->recursivelyApply((array)$this->data, $data);
-            } else {
-                // Use in-memory data if the session is lazy started
-                $data = $this->data;
            }
-            $this->data = $data ?: [];
-        } else {
-            $this->data = [];
        }

-        // Modify the timeout behaviour so it's the *inactive* time before the session expires.
-        // By default it's the total session lifetime
-        if ($timeout && !headers_sent()) {
-            Cookie::set(session_name(), session_id(), $timeout/86400, $path, $domain ? $domain
-                : null, $secure, true);
-        }
+        // Save any modified session data back to the session store if present, otherwise initialise it to an array.
+        $this->data = $data;

        $this->started = true;
    }
@ -438,7 +429,7 @@ class Session
        }

        $var[] = $val;
-        $diffVar[sizeof($var)-1] = $val;
+        $diffVar[sizeof($var) - 1] = $val;
    }

    /**