[development] Security Question about session handling

Ernst Plüss ernst.pluess at gmail.com
Mon Feb 8 17:11:15 UTC 2010

Hi drupal friends

I've written a patch for the ip_login module. It extends the module with the
possiblity to have a "login as an other user" link.

Basically it does the following things:

   1. Logs out the current user.
   2. Makes sure ip_login does not straight login again.
   3. Shows the user login screen.

My code works, but I'm not 100% sure whether it's save to code it like that.
Could someone have an I on it?

 * Logs the current user out and start new session.
 * Most of the code taken from user_logout() and _drupal_bootstrap().
function ip_login_as_different_user() {
  *global* *$*user;

  watchdog('user', 'Session closed for %name.', *array*('%name' *=**>* *$*

  // Destroy the current session:
  // Only variables can be passed by reference workaround.
  *$*null *=* *NULL*;
  user_module_invoke('logout', *$*null, *$*user);

  // Load the anonymous user
  *$*user *=* drupal_anonymous_user();

  require_once variable_get('session_inc', './includes/session.inc');
  session_set_save_handler('sess_open', 'sess_close', 'sess_read', '
sess_write', 'sess_destroy_sid', 'sess_gc');


  // show the login page

Thanks for taking your time!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100208/777a6fbe/attachment.html 

More information about the development mailing list