Issue #2378699 by klausi, David_Rothstein, pwolanin: Port session hijacking...

Issue #2378699 by klausi, David_Rothstein, pwolanin: Port session hijacking fixes from SA-CORE-2014-006 to Drupal 8

Issue #2378699 by klausi, David_Rothstein, pwolanin: Port session hijacking...
Issue #2378699 by klausi, David_Rothstein, pwolanin: Port session hijacking fixes from SA-CORE-2014-006 to Drupal 8
040dc5ff · alexpott · 62ee12bb · 040dc5ff
Commit 040dc5ff authored Nov 21, 2014 by alexpott
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -80,7 +80,7 @@ public function read($sid) {
    // cookies (eg. web crawlers).
    $insecure_session_name = $this->sessionManager->getInsecureName();
    $cookies = $this->requestStack->getCurrentRequest()->cookies;
-    if (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name)) {
+    if (empty($sid) || (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name))) {
      $user = new UserSession();
      return '';
    }