[development] Security Question about session handling

Ernst Plüss ernst.pluess at gmail.com
Mon Feb 8 19:00:27 UTC 2010


Thanks for the hint. I didn't know about
user_external_login.<http://api.drupal.org/api/function/user_external_login/6>

Unfortunately it does not allow me to start a new session and call
$_SESSION[LOGIN_AS_DIFFERENT_USER] = TRUE;. This line is very important,
because later on it tells ip_login not to do an autologin but let the user
login as a different user.

Are there some more things to think about?
Best Regards
Ernst



2010/2/8 Brian Vuyk <brian at brianvuyk.com>

>  Is it possible this could be simplified somewhat by using
> user_external_login()?
>
> http://api.drupal.org/api/function/user_external_login/6
>
>
> Ernst Plüss wrote:
>
> Hi drupal friends
>
> I've written a patch for the ip_login module. It extends the module with
> the possiblity to have a "login as an other user" link.
>
> Basically it does the following things:
>
>    1. Logs out the current user.
>    2. Makes sure ip_login does not straight login again.
>    3. Shows the user login screen.
>
> My code works, but I'm not 100% sure whether it's save to code it like
> that. Could someone have an I on it?
>
>
> /**
>  * Logs the current user out and start new session.
>  *
>  * Most of the code taken from user_logout() and _drupal_bootstrap().
>  */
> function ip_login_as_different_user() {
>   *global* *$*user;
>
>   watchdog('user', 'Session closed for %name.', *array*('%name' *=**>* *$*
> user*->*name));
>
>   // Destroy the current session:
>   session_destroy();
>   // Only variables can be passed by reference workaround.
>   *$*null *=* *NULL*;
>   user_module_invoke('logout', *$*null, *$*user);
>
>   // Load the anonymous user
>   *$*user *=* drupal_anonymous_user();
>
>   require_once variable_get('session_inc', './includes/session.inc');
>   session_set_save_handler('sess_open', 'sess_close', 'sess_read', '
> sess_write', 'sess_destroy_sid', 'sess_gc');
>   session_start();
>
>   *$*_SESSION[LOGIN_AS_DIFFERENT_USER] *=* TRUE;
>
>   // show the login page
>   drupal_goto('user');
> }
>
> Thanks for taking your time!
> Ernst
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100208/cf7c084e/attachment-0001.html 


More information about the development mailing list