Merge pull request #8387 from sminnee/fix-start-session-without-headers

FIX: Ensure existing session can be accessed if headers_sent()
2024-06-28 23:49:26 +02:00 · 2018-09-28 10:59:29 +02:00 · 2018-09-28 10:59:29 +02:00 · e57edcd060
commit e57edcd060
parent aec562f048 b98c87a6c5
1 changed files with 16 additions and 10 deletions
--- a/src/Control/Session.php
+++ b/src/Control/Session.php
@ -298,11 +298,20 @@ class Session
            }
        }

-        if (!session_id() && !headers_sent()) {
-            if ($domain) {
-                session_set_cookie_params($timeout, $path, $domain, $secure, true);
+        // If the session cookie is already set, then the session can be read even if headers_sent() = true
+        // This helps with edge-case such as debugging.
+        if (!session_id() && (!headers_sent() || !empty($_COOKIE[ini_get('session.name')]))) {
+            if (!headers_sent()) {
+                session_set_cookie_params($timeout, $path, $domain ?: null, $secure, true);
+
+                $limiter = $this->config()->get('sessionCacheLimiter');
+                if (isset($limiter)) {
+                    session_cache_limiter($limiter);
+                }
+
+            // If headers are sent then we can't have a session_cache_limiter otherwise we'll get a warning
            } else {
-                session_set_cookie_params($timeout, $path, null, $secure, true);
+                session_cache_limiter(null);
            }

            // Allow storing the session in a non standard location
@ -311,16 +320,13 @@ class Session
            }

            // If we want a secure cookie for HTTPS, use a seperate session name. This lets us have a
-            // seperate (less secure) session for non-HTTPS requests
+            // seperate (less secure) session for non-HTTPS requests. Note that if this causes problems
+            // if headers_sent() is true then it's best to throw the resulting error rather than risk
+            // a security hole.
            if ($secure) {
                session_name($this->config()->get('cookie_name_secure'));
            }

-            $limiter = $this->config()->get('sessionCacheLimiter');
-            if (isset($limiter)) {
-                session_cache_limiter($limiter);
-            }
-
            session_start();

            if (isset($_SESSION)) {