By Chris Howell


2019-04-15 19:19:12 8 Comments

We have an application that we developed in Drupal 7 and I am tasked with migrating this form to Drupal 8. I have a question about the session behavior which seems to have changed from Drupal 7 to 8.

Our application is a node and whenever that node is navigated to, or refreshed, the session is unset and restarted (for security purposes).

function fu_preprocess_node__application(&$vars) {  
    session_unset();    
    if(session_id() == ''){         
        ini_set('session.gc_maxlifetime','28800');      
        session_start();    
    } 
}

In Drupal 7, if I am logged in as an admin user and working on the form and I navigate to the application node to view it, I am fine. However, in Drupal 8, when I am logged in to Drupal and I wish to view this page, the session_unset() logs me out and gives access denied errors for contentual/render and history/23/read.

What do I need to change so that we can unset the session for the application form but not get logged out as drupal user? For the typical user of this form, who does not log in as a drupal user, this is not an issue. But as an admin working on the form, it is an issue.

1 comments

@Chris Howell 2019-04-16 18:54:51

I was able to combine two of the responses to solve my problem. I indeed updated it to use the symfony that is now part of drupal 8. (Comment #3). Reading https://www.drupal.org/docs/7/security/safely-impersonating-another-user gave me an idea to test for anonymity. So I ended up changing the original code to:

if(\Drupal::currentUser()->isAnonymous()) {
    $request = \Drupal::request();
    $session = $request->getSession();
    $session->clear();
    if($session->getId() == '') {
        ini_set('session.gc_maxlifetime','28800');
        $session->start();
    }
}

This seemed to make my problem go away. Not sure if this is the best solution, or a band-aid, but it worked for me.

Related Questions

Sponsored Content

1 Answered Questions

[SOLVED] Is a session alone enough for non logged-in users to see some information?

  • 2018-07-12 18:05:20
  • Mehrdad201
  • 38 View
  • 0 Score
  • 1 Answer
  • Tags:   sessions

0 Answered Questions

How to make anonymous session data private

  • 2018-05-14 17:58:25
  • pperez42
  • 163 View
  • 0 Score
  • 0 Answer
  • Tags:   sessions

1 Answered Questions

[SOLVED] Reasons for limited login duration?

  • 2017-10-10 12:27:28
  • donquixote
  • 678 View
  • 2 Score
  • 1 Answer
  • Tags:   7 users sessions

1 Answered Questions

[SOLVED] Session ID same across browsers

  • 2017-05-09 17:03:39
  • KaushikTD
  • 256 View
  • 1 Score
  • 1 Answer
  • Tags:   8 forms sessions

1 Answered Questions

[SOLVED] How does Drupal verify sessions from the cookie value?

  • 2017-03-19 06:06:46
  • RaisinBranCrunch
  • 1224 View
  • 5 Score
  • 1 Answer
  • Tags:   8 sessions

5 Answered Questions

[SOLVED] Problems with logging out users

  • 2011-08-25 16:02:49
  • user2014
  • 909 View
  • 0 Score
  • 5 Answer
  • Tags:   6 users sessions

1 Answered Questions

[SOLVED] COOKIE['session_api_session'] not working in drupal 7

2 Answered Questions

[SOLVED] Permission issue when displaying user list with authored content count

  • 2012-11-12 21:48:26
  • warmth
  • 130 View
  • -1 Score
  • 2 Answer
  • Tags:   views nodes

1 Answered Questions

[SOLVED] Session values are getting populated only when the page is refreshed

Sponsored Content