[development] sid not available in anonimous user

Ivan Sergio Borgonovo mail at webthatworks.it
Wed Jan 16 16:01:11 UTC 2008


On Wed, 16 Jan 2008 10:14:12 -0500
Earnie Boyd <earnie at users.sourceforge.net> wrote:

> Quoting Ivan Sergio Borgonovo <mail at webthatworks.it>:
> 
> >
> > If there isn't any good reason to kill it... could this small
> > change get into core?
> >
> 
> Isn't it a problem that uid 0 has many sessions?

yes and no...
All anonymous users share one entry in the users table BUT they don't
share the same row in the sessions table.

You can find what happens in include/sessions.inc sess_read

drupal load stuff from sessions table... but then discharge it if the
user is anonymous reloading from drupal_anonymous_user.

I know that sid could be easily be loaded from $_SESSION but a common
interface to registered/anon users would be nicer.

You call your function the same way passing $user->sid no matter if
the user is authenticated or not.

I was wondering if there are any assumptions in the rest of drupal
code about $user->sid for anonymous users...
Generally uid is checked... but maybe in some cleanup place (eg.
logout, session expiration, whatever in the thousands lines of code
of drupal) the assumption that $user->sid is not set is made and I'd
like to have surprises.

If such assumption is not made... it would be nice if people that
can commit on core made sid available even for anon users.

I already patched my drupal... but patching others code without the
hope your patch get included upstream is always a maintenance
nightmare on the long run.

If people find it a good idea to be able to get $user->sid even for
not authenticated users... I don't mind about the implementation ;)
If people think it is a bad idea, I'd like to know why.

thx

-- 
Ivan Sergio Borgonovo
http://www.webthatworks.it



More information about the development mailing list