Thanks for pointing out the obvious flaw in my reasoning. I really needed it. (Not sarcasm). You got me going enough to put my debugging on track. The Session was new because of the difference between navigating to http: vs. navigating to https: I'd originally logged in to the drupal 6 via http, but then the drupal 5 site redirected to https url of the site. Drupal doesn't seem to detect the user as logged in. Oddly enough, only if redirected there from another drupal site??? I can't reproduce this behavior when I just navigate to different sites with the browser. Once my module detects that there's no logged in user, it redirects to user/login, which presents a login page. When the user presses the submit button on this page, they get an access denied because drupal finally detects that the user is already logged in. I'm a bit puzzled as to why it didn't detect this at the inital redirect, and really puzzled about the difference in behavior between a redirect, and if I just type in the url directly. Given that this is third party soffware doing the redirect from drupal 5, I'm not sure whether this is a bug or not. I can work around the problem by instructing users to change their $base_url on the cas server site to make sure that it's always https, or implement secure_pages or something like that. Does anyone with more knowledge of drupal session handling have any idea as to why drupal would detect the currently logged in user incorrectly when being redirected, but not when typing the url into the browser? On Mar 20, 2009, at 11:30 AM, Moshe Weitzman wrote:
that snippit tests if the user is logged in, not if $user is populated. you could have a full anonymous $user object.
the basic loading of a $user gets triggerred by session_start() but if you have to call that on your own you are way off the beaten path in Drupal and really need to grok whats happenning step by step in order to assure security and code sanity. that gives a basic $user object. If you need it call, you might have to call user_load() yourself.
On Fri, Mar 20, 2009 at 2:02 PM, David Metzler <metzlerd@metzlerd.com> wrote:
I'm working on implementing a new cas_server module that allows drupal accounts to be used as a single - sign on source. I have a drupal 5 site issues a redirect to a drupal 6 site, and when I redirect to that page I don't find that the $user global is populated. Is there some function or include that I should b calling to make sure that this data is there?
Code snippet that isn't returning correct data.
global $user if ($user->uid) { drupal_set_message('user logged in'); } else { drupal_set_message('User not logged in'); }
Note that if I click on any other link in the drupal page. I show as being logged in, but the redirect to this page does not load the $user variable.
Developing against drupal 6.10