[development] Security Question about session handling
Ernst Plüss
ernst.pluess at gmail.com
Mon Feb 8 19:00:27 UTC 2010
Thanks for the hint. I didn't know about
user_external_login.<http://api.drupal.org/api/function/user_external_login/6>
Unfortunately it does not allow me to start a new session and call
$_SESSION[LOGIN_AS_DIFFERENT_USER] = TRUE;. This line is very important,
because later on it tells ip_login not to do an autologin but let the user
login as a different user.
Are there some more things to think about?
Best Regards
Ernst
2010/2/8 Brian Vuyk <brian at brianvuyk.com>
> Is it possible this could be simplified somewhat by using
> user_external_login()?
>
> http://api.drupal.org/api/function/user_external_login/6
>
>
> Ernst Plüss wrote:
>
> Hi drupal friends
>
> I've written a patch for the ip_login module. It extends the module with
> the possiblity to have a "login as an other user" link.
>
> Basically it does the following things:
>
> 1. Logs out the current user.
> 2. Makes sure ip_login does not straight login again.
> 3. Shows the user login screen.
>
> My code works, but I'm not 100% sure whether it's save to code it like
> that. Could someone have an I on it?
>
>
> /**
> * Logs the current user out and start new session.
> *
> * Most of the code taken from user_logout() and _drupal_bootstrap().
> */
> function ip_login_as_different_user() {
> *global* *$*user;
>
> watchdog('user', 'Session closed for %name.', *array*('%name' *=**>* *$*
> user*->*name));
>
> // Destroy the current session:
> session_destroy();
> // Only variables can be passed by reference workaround.
> *$*null *=* *NULL*;
> user_module_invoke('logout', *$*null, *$*user);
>
> // Load the anonymous user
> *$*user *=* drupal_anonymous_user();
>
> require_once variable_get('session_inc', './includes/session.inc');
> session_set_save_handler('sess_open', 'sess_close', 'sess_read', '
> sess_write', 'sess_destroy_sid', 'sess_gc');
> session_start();
>
> *$*_SESSION[LOGIN_AS_DIFFERENT_USER] *=* TRUE;
>
> // show the login page
> drupal_goto('user');
> }
>
> Thanks for taking your time!
> Ernst
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20100208/cf7c084e/attachment-0001.html
More information about the development
mailing list