[development] Security Question about session handling

[Ernst Plüss]

Hi drupal friends

I've written a patch for the ip_login module. It extends the module with the
possiblity to have a "login as an other user" link.

Basically it does the following things:

   1. Logs out the current user.
   2. Makes sure ip_login does not straight login again.
   3. Shows the user login screen.

My code works, but I'm not 100% sure whether it's save to code it like that.
Could someone have an I on it?


/**
 * Logs the current user out and start new session.
 *
 * Most of the code taken from user_logout() and _drupal_bootstrap().
 */
function ip_login_as_different_user() {
  *global* *$*user;

  watchdog('user', 'Session closed for %name.', *array*('%name' *=**>* *$*
user*->*name));

  // Destroy the current session:
  session_destroy();
  // Only variables can be passed by reference workaround.
  *$*null *=* *NULL*;
  user_module_invoke('logout', *$*null, *$*user);

  // Load the anonymous user
  *$*user *=* drupal_anonymous_user();

  require_once variable_get('session_inc', './includes/session.inc');
  session_set_save_handler('sess_open', 'sess_close', 'sess_read', '
sess_write', 'sess_destroy_sid', 'sess_gc');
  session_start();

  *$*_SESSION[LOGIN_AS_DIFFERENT_USER] *=* TRUE;

  // show the login page
  drupal_goto('user');
}

Thanks for taking your time!
Ernst
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100208/777a6fbe/attachment.html