[development] transferring session info across login event

Neil Drumm drumm at delocalizedham.com
Sat Jul 26 00:46:08 UTC 2008


Session ID regeneration is just that, a new session ID for the same session.
Session variables are not overwritten.

To test, I found my session ID, for an anonymous session, and did:
UPDATE sessions SET session = 'debug|s:1:"a"' WHERE sid = '...';

After logging in, the session variables had not changed. Executing
print_r($_SESSION);
resulted in the expected
Array
(
 [debug] => a
)

-Neil

On Fri, Jul 25, 2008 at 5:09 PM, mark burdett <mfburdett at gmail.com> wrote:

> I'd also like to know the proper technique for moving session data
> from anonymous to logged in user.
>
> This diff
> http://cvs.drupal.org/viewvc.py/drupal/drupal/modules/user/user.module?r1=1.745.2.30&r2=1.745.2.31&pathrev=DRUPAL-5
> shows how the session is now regenerated after a successful login and
> before the login hook is invoked.  This change breaks the ability to
> login and keep the contents of your shopping cart in drupal e-commerce
> 5-3, for example.  Maybe pre-login and post-login hooks are needed?
>
> --mark
>
> On Wed, Jul 23, 2008 at 7:08 AM, Alan Dixon <alan.g.dixon at gmail.com>
> wrote:
> > i'm wondering if your statement:
> >
> > "the login event regenerates the session"
> >
> > is completely true.
> >
> > I don't believe that the php session cookie changes, and I don't see
> > anywhere (or why) drupal would completely remove all $_SESSION info on
> > login.
> >
> > I think what does happen is that Drupal's private session stuff as
> > stored in the session table gets cleared out (primarily the user
> > object that gets cached, i'm not sure what else), but you don't need
> > to worry about that do you?
> >
> > Put all your pre-login stuff into $_SESSION and then it should still
> > be there after login, I think.
> >
> >  - Alan
> >
> > On Mon, Jul 14, 2008 at 1:37 PM, Joe Murray
> > <joe.murray at jmaconsulting.biz> wrote:
> >> I have a use case where anonymous users can do a bunch of work, and then
> at
> >> the end request to save it, which requires logging in (and possibly also
> >> creating an account). The login event regenerates the session, and so
> far as
> >> I know 5.x does not provide a hook that can be used to copy info from
> the
> >> old session into the new so that it can be saved in a way that is
> associated
> >> with the correct uid. I suppose such a hook so would open up lots of
> >> security issues. Still, this is the second time I've confronted this
> sort of
> >> an issue, and I don't know the correct design pattern to handle it in
> >> Drupal. Comments and suggestions welcome.
> >>
> >>
> >>
> >> Cheers,
> >>
> >>
> >>
> >> Joe Murray, PhD
> >>
> >> President, JMA Consulting
> >>
> >> @ The Centre for Social Innovation
> >>
> >> 215 Spadina Ave, Suite 400, Toronto, Ontario, Canada  M5T 2C7
> >>
> >> 416.466.1281, (416) 644-0116 (f)
> >>
> >> joe.murray at jmaconsulting.biz
> >>
> >> Skype: josephpmurray
> >>
> >>
> >
> >
> >
> > --
> > Alan Dixon, Web Developer
> > http://alan.g.dixon.googlepages.com/
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20080725/dab6fc38/attachment.htm 


More information about the development mailing list