[development] patch needs review

mark burdett mfburdett at gmail.com
Tue Aug 28 06:43:12 UTC 2007

Hi, here's a drupal-5 patch that could use a quick review, if anyone
has a moment:

quick summary of the patch:
If and only if session.cookie_secure is enabled, unique session names
will be generated for HTTP and HTTPS sites sharing the same cookie
domain, e.g. http://site.example.com/ and https://site.example.com/.
For most sites, which don't have session.cookie_secure enabled, there
will be no difference in behavior.

Until Drupal 5.2, it was possible to set different session names so
separate HTTP and HTTPS sessions could co-exist on the browser.  This
is the user-friendly way to take advantage of session.cookie_secure,
while still offering an HTTP url for anonymous visitors.  If you use
identical session names, as Drupal 5.2 forces you to do, the
authenticated HTTPS session will be wiped out from the browser cookie
jar if the user visits an HTTP url during her/his session (which could
happen easily if e.g. an administrator views a page via normal URL
while doing administration work).


More information about the development mailing list