You are here

function drupal_session_regenerate in Drupal 7

Called when an anonymous user becomes authenticated or vice-versa.

Related topics

3 calls to drupal_session_regenerate()
user_login_finalize in modules/user/user.module
Finalize the login process. Must be called when logging in a user.
user_save in modules/user/user.module
Save changes to a user account or add a new user.
_user_cancel_session_regenerate in modules/user/user.module
Implements callback_batch_finished().

File

includes/session.inc, line 371
User session handling functions.

Code

function drupal_session_regenerate() {
  global $user, $is_https;

  // Nothing to do if we are not allowed to change the session.
  if (!drupal_save_session()) {
    return;
  }
  if ($is_https && variable_get('https', FALSE)) {
    $insecure_session_name = substr(session_name(), 1);
    if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
      $old_insecure_session_id = $_COOKIE[$insecure_session_name];
    }
    $params = session_get_cookie_params();
    $session_id = drupal_random_key();

    // If a session cookie lifetime is set, the session will expire
    // $params['lifetime'] seconds from the current request. If it is not set,
    // it will expire when the browser is closed.
    $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
    $options = array(
      'expires' => $expire,
      'path' => $params['path'],
      'domain' => $params['domain'],
      'secure' => FALSE,
      'httponly' => $params['httponly'],
    );
    drupal_setcookie($insecure_session_name, $session_id, $options);
    $_COOKIE[$insecure_session_name] = $session_id;
  }
  if (drupal_session_started()) {
    $old_session_id = session_id();
    _drupal_session_regenerate_existing();
  }
  else {
    session_id(drupal_random_key());
  }
  if (isset($old_session_id)) {
    $params = session_get_cookie_params();
    $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
    $options = array(
      'expires' => $expire,
      'path' => $params['path'],
      'domain' => $params['domain'],
      'secure' => $params['secure'],
      'httponly' => $params['httponly'],
    );
    drupal_setcookie(session_name(), session_id(), $options);
    $fields = array(
      'sid' => session_id(),
    );
    if ($is_https) {
      $fields['ssid'] = session_id();

      // If the "secure pages" setting is enabled, use the newly-created
      // insecure session identifier as the regenerated sid.
      if (variable_get('https', FALSE)) {
        $fields['sid'] = $session_id;
      }
    }
    db_update('sessions')
      ->fields($fields)
      ->condition($is_https ? 'ssid' : 'sid', $old_session_id)
      ->execute();
  }
  elseif (isset($old_insecure_session_id)) {

    // If logging in to the secure site, and there was no active session on the
    // secure site but a session was active on the insecure site, update the
    // insecure session with the new session identifiers.
    db_update('sessions')
      ->fields(array(
      'sid' => $session_id,
      'ssid' => session_id(),
    ))
      ->condition('sid', $old_insecure_session_id)
      ->execute();
  }
  else {

    // Start the session when it doesn't exist yet.
    // Preserve the logged in user, as it will be reset to anonymous
    // by _drupal_session_read.
    $account = $user;
    drupal_session_start();
    $user = $account;
  }
  date_default_timezone_set(drupal_get_user_timezone());
}