function drupal_session_regenerate
Called when an anonymous user becomes authenticated or vice-versa.
Related topics
3 calls to drupal_session_regenerate()
- user_login_finalize in modules/
user/ user.module - Finalize the login process. Must be called when logging in a user.
- user_save in modules/
user/ user.module - Save changes to a user account or add a new user.
- _user_cancel_session_regenerate in modules/
user/ user.module - Implements callback_batch_finished().
File
-
includes/
session.inc, line 374
Code
function drupal_session_regenerate() {
global $user, $is_https;
// Nothing to do if we are not allowed to change the session.
if (!drupal_save_session()) {
return;
}
if ($is_https && variable_get('https', FALSE)) {
$insecure_session_name = substr(session_name(), 1);
if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
$old_insecure_session_id = $_COOKIE[$insecure_session_name];
}
$params = session_get_cookie_params();
$session_id = drupal_random_key();
// If a session cookie lifetime is set, the session will expire
// $params['lifetime'] seconds from the current request. If it is not set,
// it will expire when the browser is closed.
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
$options = array(
'expires' => $expire,
'path' => $params['path'],
'domain' => $params['domain'],
'secure' => FALSE,
'httponly' => $params['httponly'],
);
drupal_setcookie($insecure_session_name, $session_id, $options);
$_COOKIE[$insecure_session_name] = $session_id;
}
if (drupal_session_started()) {
$old_session_id = session_id();
_drupal_session_regenerate_existing();
}
else {
session_id(drupal_random_key());
}
if (isset($old_session_id)) {
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
$options = array(
'expires' => $expire,
'path' => $params['path'],
'domain' => $params['domain'],
'secure' => $params['secure'],
'httponly' => $params['httponly'],
);
drupal_setcookie(session_name(), session_id(), $options);
$fields = array(
'sid' => drupal_session_id(session_id()),
);
if ($is_https) {
$fields['ssid'] = drupal_session_id(session_id());
// If the "secure pages" setting is enabled, use the newly-created
// insecure session identifier as the regenerated sid.
if (variable_get('https', FALSE)) {
$fields['sid'] = drupal_session_id($session_id);
}
}
db_update('sessions')->fields($fields)
->condition($is_https ? 'ssid' : 'sid', drupal_session_id($old_session_id))
->execute();
}
elseif (isset($old_insecure_session_id)) {
// If logging in to the secure site, and there was no active session on the
// secure site but a session was active on the insecure site, update the
// insecure session with the new session identifiers.
db_update('sessions')->fields(array(
'sid' => drupal_session_id($session_id),
'ssid' => drupal_session_id(session_id()),
))
->condition('sid', drupal_session_id($old_insecure_session_id))
->execute();
}
else {
// Start the session when it doesn't exist yet.
// Preserve the logged in user, as it will be reset to anonymous
// by _drupal_session_read.
$account = $user;
drupal_session_start();
$user = $account;
}
date_default_timezone_set(drupal_get_user_timezone());
}
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.