Commit 8d601c74 authored by webchick's avatar webchick

Issue #2342593 by znerol, grendzy, David_Rothstein: Remove mixed SSL support from core

parent 602a1443
......@@ -495,7 +495,7 @@ services:
- { name: service_collector, tag: route_filter, call: addRouteFilter }
url_generator:
class: Drupal\Core\Routing\UrlGenerator
arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@settings', '@logger.channel.default', '@request_stack']
arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@logger.channel.default', '@request_stack']
calls:
- [setContext, ['@?router.request_context']]
unrouted_url_assembler:
......
......@@ -52,9 +52,6 @@ public function getFormID() {
* {@inheritdoc}
*/
public function buildForm(array $form, FormStateInterface $form_state) {
// If possible, we want to post this form securely via HTTPS.
$form['#https'] = TRUE;
// Get all the available ways to transfer files.
if (empty($_SESSION['authorize_filetransfer_info'])) {
drupal_set_message($this->t('Unable to continue, no available methods of file transfer'), 'error');
......
......@@ -16,7 +16,6 @@
use Drupal\Core\DependencyInjection\ClassResolverInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Render\Element;
use Drupal\Core\Site\Settings;
use Drupal\Core\Theme\ThemeManagerInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\HttpFoundation\RequestStack;
......@@ -694,8 +693,7 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state
// Special handling if we're on the top level form element.
if (isset($element['#type']) && $element['#type'] == 'form') {
if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) &&
!UrlHelper::isExternal($element['#action'])) {
if (!empty($element['#https']) && !UrlHelper::isExternal($element['#action'])) {
global $base_root;
// Not an external URL so ensure that it is secure.
......
......@@ -67,8 +67,7 @@ public function __construct($text, Url $url) {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return static
*/
......
......@@ -20,7 +20,6 @@
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
use Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface;
use Drupal\Core\Site\Settings;
/**
* Generates URLs from route names and parameters.
......@@ -48,13 +47,6 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
*/
protected $routeProcessor;
/**
* Whether both secure and insecure session cookies can be used simultaneously.
*
* @var bool
*/
protected $mixedModeSessions;
/**
* Overrides characters that will not be percent-encoded in the path segment.
*
......@@ -78,19 +70,16 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
* The route processor.
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* The config factory.
* @param \Drupal\Core\Site\Settings $settings
* The read only settings.
* @param \Psr\Log\LoggerInterface $logger
* An optional logger for recording errors.
* @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
* A request stack object.
*/
public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, Settings $settings, LoggerInterface $logger = NULL, RequestStack $request_stack) {
public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, LoggerInterface $logger = NULL, RequestStack $request_stack) {
parent::__construct($provider, $logger);
$this->pathProcessor = $path_processor;
$this->routeProcessor = $route_processor;
$this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$allowed_protocols = $config->get('system.filter')->get('protocols') ?: array('http', 'https');
UrlHelper::setAllowedProtocols($allowed_protocols);
$this->requestStack = $request_stack;
......@@ -190,7 +179,7 @@ public function generateFromRoute($name, $parameters = array(), $options = array
// Prepare an absolute URL by getting the correct scheme, host and port from
// the request context.
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
$scheme = $options['https'] ? 'https' : 'http';
}
else {
......@@ -262,7 +251,7 @@ public function generateFromPath($path = NULL, $options = array()) {
if ($options['query']) {
$path .= (strpos($path, '?') !== FALSE ? '&' : '?') . UrlHelper::buildQuery($options['query']);
}
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$path = str_replace('http://', 'https://', $path);
}
......@@ -282,7 +271,7 @@ public function generateFromPath($path = NULL, $options = array()) {
}
// The base_url might be rewritten from the language rewrite in domain mode.
if (!isset($options['base_url'])) {
if (isset($options['https']) && $this->mixedModeSessions) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $current_base_url);
$options['absolute'] = TRUE;
......
......@@ -58,8 +58,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface {
* \Drupal::languageManager()->getCurrentLanguage(LanguageInterface::TYPE_URL).
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
* only be enforced when the variable 'https' is set to TRUE.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'base_url': Only used internally, to modify the base URL when a language
* dependent URL requires so.
* - 'prefix': Only used internally, to modify the path when a language
......@@ -132,8 +131,7 @@ public function getPathFromRoute($name, $parameters = array());
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'prefix': Only used internally, to modify the path when a language
* dependent URL requires so.
*
......
......@@ -78,44 +78,15 @@ public function read($sid) {
// Handle the case of first time visitors and clients that don't store
// cookies (eg. web crawlers).
$insecure_session_name = $this->sessionManager->getInsecureName();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if (empty($sid) || (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name))) {
if (empty($sid) || !$cookies->has($this->getName())) {
$user = new UserSession();
return '';
}
// Otherwise, if the session is still active, we have a record of the
// client's session in the database. If it's HTTPS then we are either have a
// HTTPS session or we are about to log in so we check the sessions table
// for an anonymous session with the non-HTTPS-only cookie. The session ID
// that is in the user's cookie is hashed before being stored in the
// database as a security measure. Thus, we have to hash it to match the
// database.
if ($this->requestStack->getCurrentRequest()->isSecure()) {
// Try to load a session using the HTTPS-only secure session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.ssid = :ssid", array(
':ssid' => Crypt::hashBase64($sid),
))->fetchAssoc();
if (!$values) {
// Fallback and try to load the anonymous non-HTTPS session. Use the
// non-HTTPS session id as the key.
if ($cookies->has($insecure_session_name)) {
$insecure_session_id = $cookies->get($insecure_session_name);
$args = array(':sid' => Crypt::hashBase64($insecure_session_id));
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid AND s.uid = 0", $args)->fetchAssoc();
if ($values) {
$this->sessionSetObsolete($insecure_session_id);
}
}
}
}
else {
// Try to load a session using the non-HTTPS session id.
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
':sid' => Crypt::hashBase64($sid),
))->fetchAssoc();
}
$values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
':sid' => Crypt::hashBase64($sid),
))->fetchAssoc();
// We found the client's session record and they are an authenticated,
// active user.
......@@ -158,42 +129,17 @@ public function write($sid, $value) {
return TRUE;
}
// Either ssid or sid or both will be added from $key below.
$fields = array(
'uid' => $user->id(),
'hostname' => $this->requestStack->getCurrentRequest()->getClientIP(),
'session' => $value,
'timestamp' => REQUEST_TIME,
);
// Use the session ID as 'sid' and an empty string as 'ssid' by default.
// read() does not allow empty strings so that's a safe default.
$key = array('sid' => Crypt::hashBase64($sid), 'ssid' => '');
// On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
if ($this->requestStack->getCurrentRequest()->isSecure()) {
$key['ssid'] = $key['sid'];
// The "secure pages" setting allows a site to simultaneously use both
// secure and insecure session cookies. If enabled and both cookies
// are presented then use both keys. The session ID from the cookie is
// hashed before being stored in the database as a security measure.
if ($this->sessionManager->isMixedMode()) {
$insecure_session_name = $this->sessionManager->getInsecureName();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if ($cookies->has($insecure_session_name)) {
$key['sid'] = Crypt::hashBase64($cookies->get($insecure_session_name));
}
}
}
elseif ($this->sessionManager->isMixedMode()) {
unset($key['ssid']);
}
$this->connection->merge('sessions')
->keys($key)
->keys(array('sid' => Crypt::hashBase64($sid)))
->fields($fields)
->execute();
// Remove obsolete sessions.
$this->cleanupObsoleteSessions();
// Likewise, do not update access time more than once per 180 seconds.
if ($user->isAuthenticated() && REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180)) {
/** @var \Drupal\user\UserStorageInterface $storage */
......@@ -231,10 +177,9 @@ public function destroy($sid) {
if (!$this->sessionManager->isEnabled()) {
return TRUE;
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
// Delete session data.
$this->connection->delete('sessions')
->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($sid))
->condition('sid', Crypt::hashBase64($sid))
->execute();
// Reset $_SESSION and $user to prevent a new session from being started
......@@ -244,15 +189,6 @@ public function destroy($sid) {
// Unset the session cookies.
$this->deleteCookie($this->getName());
if ($is_https) {
$this->deleteCookie($this->sessionManager->getInsecureName(), FALSE);
}
elseif ($this->sessionManager->isMixedMode()) {
$this->deleteCookie('S' . $this->getName(), TRUE);
}
// Remove obsolete sessions.
$this->cleanupObsoleteSessions();
return TRUE;
}
......@@ -277,37 +213,14 @@ public function gc($lifetime) {
*
* @param string $name
* Name of session cookie to delete.
* @param bool $secure
* Force the secure value of the cookie.
*/
protected function deleteCookie($name, $secure = NULL) {
protected function deleteCookie($name) {
$cookies = $this->requestStack->getCurrentRequest()->cookies;
if ($cookies->has($name) || (!$this->requestStack->getCurrentRequest()->isSecure() && $secure === TRUE)) {
if ($cookies->has($name)) {
$params = session_get_cookie_params();
if ($secure !== NULL) {
$params['secure'] = $secure;
}
setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$cookies->remove($name);
}
}
/**
* Mark a session for garbage collection upon session save.
*/
protected function sessionSetObsolete($sid, $https = FALSE) {
$this->obsoleteSessionIds[$sid] = $https ? 'ssid' : 'sid';
}
/**
* Remove sessions marked for garbage collection.
*/
protected function cleanupObsoleteSessions() {
foreach ($this->obsoleteSessionIds as $sid => $key) {
$this->connection->delete('sessions')
->condition($key, Crypt::hashBase64($sid))
->execute();
}
}
}
......@@ -31,18 +31,10 @@
* necessary to subclass it at all. In order to reach the point where Drupal
* can use the Symfony session management unmodified, the code implemented
* here needs to be extracted either into a dedicated session handler proxy
* (e.g. mixed mode SSL, sid-hashing) or relocated to the authentication
* subsystem.
* (e.g. sid-hashing) or relocated to the authentication subsystem.
*/
class SessionManager extends NativeSessionStorage implements SessionManagerInterface {
/**
* Whether or not the session manager is operating in mixed mode SSL.
*
* @var bool
*/
protected $mixedMode;
/**
* The request stack.
*
......@@ -100,8 +92,6 @@ public function __construct(RequestStack $request_stack, Connection $connection,
parent::__construct($options, $write_check_handler, $metadata_bag);
$this->setMixedMode($settings->get('mixed_mode_sessions', FALSE));
// @todo When not using the Symfony Session object, the list of bags in the
// NativeSessionStorage will remain uninitialized. This will lead to
// errors in NativeSessionHandler::loadSession. Remove this after
......@@ -121,10 +111,8 @@ public function start() {
return $this->started;
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
$insecure_session_name = $this->getInsecureName();
if (($cookies->has($this->getName()) && ($session_name = $cookies->get($this->getName()))) || ($is_https && $this->isMixedMode() && ($cookies->has($insecure_session_name) && ($session_name = $cookies->get($insecure_session_name))))) {
if ($cookies->get($this->getName())) {
// If a session cookie exists, initialize the session. Otherwise the
// session is only started on demand in save(), making
// anonymous users not use a session cookie unless something is stored in
......@@ -144,10 +132,6 @@ public function start() {
// default php session id instead of generating a custom one:
// https://www.drupal.org/node/2238561
$this->setId(Crypt::randomBytesBase64());
if ($is_https && $this->isMixedMode()) {
$session_id = Crypt::randomBytesBase64();
$cookies->set($insecure_session_name, $session_id);
}
// Initialize the session global and attach the Symfony session bags.
$_SESSION = array();
......@@ -214,13 +198,6 @@ public function save() {
// started.
if (!$this->getSaveHandler()->isActive()) {
$this->startNow();
if ($this->requestStack->getCurrentRequest()->isSecure() && $this->isMixedMode()) {
$insecure_session_name = $this->getInsecureName();
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
$cookie_params = $this->requestStack->getCurrentRequest()->cookies;
setcookie($insecure_session_name, $cookie_params->get($insecure_session_name), $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
}
}
// Write the session data.
parent::save();
......@@ -246,22 +223,6 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
throw new \InvalidArgumentException('The optional parameters $destroy and $lifetime of SessionManager::regenerate() are not supported currently');
}
$is_https = $this->requestStack->getCurrentRequest()->isSecure();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
$insecure_session_id = '';
if ($is_https && $this->isMixedMode()) {
$insecure_session_name = $this->getInsecureName();
$params = session_get_cookie_params();
$insecure_session_id = Crypt::randomBytesBase64();
// If a session cookie lifetime is set, the session will expire
// $params['lifetime'] seconds from the current request. If it is not set,
// it will expire when the browser is closed.
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($insecure_session_name, $insecure_session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
$cookies->set($insecure_session_name, $insecure_session_id);
}
if ($this->isStarted()) {
$old_session_id = $this->getId();
}
......@@ -273,7 +234,7 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($this->getName(), $this->getId(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$this->migrateStoredSession($old_session_id, $is_https, $insecure_session_id);
$this->migrateStoredSession($old_session_id);
}
if (!$this->isStarted()) {
......@@ -323,27 +284,6 @@ public function enable() {
return $this;
}
/**
* {@inheritdoc}
*/
public function isMixedMode() {
return $this->mixedMode;
}
/**
* {@inheritdoc}
*/
public function setMixedMode($mixed_mode) {
$this->mixedMode = (bool) $mixed_mode;
}
/**
* {@inheritdoc}
*/
public function getInsecureName() {
return substr($this->getName(), 1);
}
/**
* Returns whether the current PHP process runs on CLI.
*
......@@ -401,25 +341,12 @@ protected function getSessionDataMask() {
* @param string $old_session_id
* The old session id. The new session id is $this->getId() unless
* $new_insecure_session_id is not empty.
* @param bool $is_https
* Whether this is a HTTPS request.
* @param string $new_insecure_session_id
* If this is a HTTPS request and we are in mixed mode, this is the new
* insecure session id. The secure session id is $this->getId().
*/
protected function migrateStoredSession($old_session_id, $is_https, $new_insecure_session_id) {
protected function migrateStoredSession($old_session_id) {
$fields = array('sid' => Crypt::hashBase64($this->getId()));
if ($is_https) {
$fields['ssid'] = $fields['sid'];
// If the "secure pages" setting is enabled, use the newly-created
// insecure session identifier as the regenerated sid.
if ($this->isMixedMode()) {
$fields['sid'] = Crypt::hashBase64($new_insecure_session_id);
}
}
$this->connection->update('sessions')
->fields($fields)
->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($old_session_id))
->condition('sid', Crypt::hashBase64($old_session_id))
->execute();
}
......
......@@ -50,28 +50,4 @@ public function disable();
*/
public function enable();
/**
* Returns whether mixed mode SSL sessions are enabled in the session manager.
*
* @return bool
* Value of the mixed mode SSL sessions flag.
*/
public function isMixedMode();
/**
* Enables or disables mixed mode SSL sessions in the session manager.
*
* @param bool $mixed_mode
* New value for the mixed mode SSL sessions flag.
*/
public function setMixedMode($mixed_mode);
/**
* Returns the name of the insecure session when operating in mixed mode SSL.
*
* @return string
* The name of the insecure session.
*/
public function getInsecureName();
}
......@@ -120,8 +120,7 @@ class Url {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @see static::fromRoute()
* @see static::fromUri()
......@@ -161,8 +160,7 @@ public function __construct($route_name, $route_parameters = array(), $options =
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for a routed (internal to Drupal) URL.
......@@ -216,8 +214,7 @@ public static function fromRouteMatch(RouteMatchInterface $route_match) {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
* and FALSE enforces HTTP.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for an unrouted (non-Drupal) URL.
......
......@@ -44,8 +44,7 @@ interface UnroutedUrlAssemblerInterface {
* displayed outside the site, such as in an RSS feed.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
* only be enforced when the variable 'https' is set to TRUE.
* respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return
* A string containing a relative or absolute URL.
......
......@@ -11,7 +11,6 @@
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\InboundPathProcessorInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
use Drupal\Core\Site\Settings;
use Drupal\language\ConfigurableLanguageManagerInterface;
use Drupal\language\LanguageNegotiatorInterface;
use Symfony\Component\HttpFoundation\Request;
......@@ -29,13 +28,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*/
protected $config;
/**
* Whether both secure and insecure session cookies can be used simultaneously.
*
* @var bool
*/
protected $mixedModeSessions;
/**
* Language manager for retrieving the url language type.
*
......@@ -69,8 +61,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* A config factory object for retrieving configuration settings.
* @param \Drupal\Core\Site\Settings $settings
* The settings instance.
* @param \Drupal\language\ConfigurableLanguageManagerInterface $language_manager
* The configurable language manager.
* @param \Drupal\language\LanguageNegotiatorInterface
......@@ -78,9 +68,8 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
* @param \Drupal\Core\Session\AccountInterface $current_user
* The current active user.
*/
public function __construct(ConfigFactoryInterface $config, Settings $settings, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
public function __construct(ConfigFactoryInterface $config, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
$this->config = $config;
$this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$this->languageManager = $language_manager;
$this->negotiator = $negotiator;
$this->negotiator->setCurrentUser($current_user);
......@@ -115,8 +104,6 @@ public function processOutbound($path, &$options = array(), Request $request = N
if (!isset($this->processors[$scope])) {
$this->initProcessors($scope);
}
// Execute outbound language processors.
$options['mixed_mode_sessions'] = $this->mixedModeSessions;
foreach ($this->processors[$scope] as $instance) {
$path = $instance->processOutbound($path, $options, $request);
}
......
......@@ -37,7 +37,6 @@ public function register(ContainerBuilder $container) {
->addTag('path_processor_inbound', array('priority' => 300))
->addTag('path_processor_outbound', array('priority' => 100))
->addArgument(new Reference('config.factory'))
->addArgument(new Reference('settings'))
->addArgument(new Reference('language_manager'))
->addArgument(new Reference('language_negotiator'))
->addArgument(new Reference('current_user'));
......
......@@ -169,7 +169,7 @@ public function processOutbound($path, &$options = array(), Request $request = N
$options['base_url'] .= ':' . $port;
}
if (isset($options['https']) && !empty($options['mixed_mode_sessions'])) {
if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
}
......
......@@ -468,13 +468,9 @@ function testLanguageDomain() {
$this->assertEqual($italian_url, $correct_link, format_string('The _url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
// Test HTTPS via options.
$this->settingsSet('mixed_mode_sessions', TRUE);
$this->rebuildContainer();
$italian_url = _url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => ''));
$correct_link = 'https://' . $link;
$this->assertTrue($italian_url == $correct_link, format_string('The _url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
$this->settingsSet('mixed_mode_sessions', FALSE);
// Test HTTPS via current URL scheme.
$request = Request::create('', 'GET', array(), array(), array(), array('HTTPS' => 'on'));
......
......@@ -64,7 +64,7 @@ protected function testHttpsSession() {
// Check insecure cookie is not set.
$this->assertFalse(isset($this->cookies[$insecure_session_name]));
$ssid = $this->cookies[$secure_session_name]['value'];
$this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.');
$this->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.');
$cookie = $secure_session_name . '=' . $ssid;
// Verify that user is logged in on secure URL.
......@@ -109,196 +109,11 @@ protected function testHttpsSession() {
$this->cookies = array();
}
/**
* Tests sessions in SSL mixed mode.
*/
protected function testMixedModeSslSession() {
if ($this->request->isSecure()) {
// The functionality does not make sense when running on HTTPS.
return;
}
else {
$secure_session_name = 'S' . $this->getSessionName();
$insecure_session_name = $this->getSessionName();
}
// Enable secure pages.
$this->settingsSet('mixed_mode_sessions', TRUE);
// Write that value also into the test settings.php file.
$settings['settings']['mixed_mode_sessions'] = (object) array(
'value' => TRUE,
'required' => TRUE,
);
$this->writeSettings($settings);
$user = $this->drupalCreateUser(array('access administration pages'));
$this->curlClose();
// Start an anonymous session on the insecure site.
$session_data = $this->randomMachineName();
$this->drupalGet('session-test/set/' . $session_data);
// Check secure cookie on insecure page.
$this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.');
// Check insecure cookie on insecure page.
$this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
// Store the anonymous cookie so we can validate that its session is killed
// after login.
$anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value'];
// Check that password request form action is not secure.
$this->drupalGet('user/password');
$form = $this->xpath('//form[@id="user-pass"]');
$this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure');
$form[0]['action'] = $this->httpsUrl('user/login');