diff --git a/core/core.services.yml b/core/core.services.yml
index a6663b4f15cdde23fdaff38e18e282eba574a3fe..08bec381268c499ff4debbf8d921f7e08b52c537 100644
--- a/core/core.services.yml
+++ b/core/core.services.yml
@@ -495,7 +495,7 @@ services:
- { name: service_collector, tag: route_filter, call: addRouteFilter }
url_generator:
class: Drupal\Core\Routing\UrlGenerator
- arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@settings', '@logger.channel.default', '@request_stack']
+ arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@logger.channel.default', '@request_stack']
calls:
- [setContext, ['@?router.request_context']]
unrouted_url_assembler:
diff --git a/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php b/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php
index 12a0572695fa73d56af312d503dd9a9899a6899b..c8ae6cb928976c1273e2271b10d0d83f45b8105a 100644
--- a/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php
+++ b/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php
@@ -52,9 +52,6 @@ public function getFormID() {
* {@inheritdoc}
*/
public function buildForm(array $form, FormStateInterface $form_state) {
- // If possible, we want to post this form securely via HTTPS.
- $form['#https'] = TRUE;
-
// Get all the available ways to transfer files.
if (empty($_SESSION['authorize_filetransfer_info'])) {
drupal_set_message($this->t('Unable to continue, no available methods of file transfer'), 'error');
diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php
index d2040505722e3d507db327fe258fe2a06124703e..bf356001d6c8abbd23843b9a0606b76c9def09ae 100644
--- a/core/lib/Drupal/Core/Form/FormBuilder.php
+++ b/core/lib/Drupal/Core/Form/FormBuilder.php
@@ -16,7 +16,6 @@
use Drupal\Core\DependencyInjection\ClassResolverInterface;
use Drupal\Core\Extension\ModuleHandlerInterface;
use Drupal\Core\Render\Element;
-use Drupal\Core\Site\Settings;
use Drupal\Core\Theme\ThemeManagerInterface;
use Symfony\Component\EventDispatcher\EventDispatcherInterface;
use Symfony\Component\HttpFoundation\RequestStack;
@@ -694,8 +693,7 @@ public function doBuildForm($form_id, &$element, FormStateInterface &$form_state
// Special handling if we're on the top level form element.
if (isset($element['#type']) && $element['#type'] == 'form') {
- if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) &&
- !UrlHelper::isExternal($element['#action'])) {
+ if (!empty($element['#https']) && !UrlHelper::isExternal($element['#action'])) {
global $base_root;
// Not an external URL so ensure that it is secure.
diff --git a/core/lib/Drupal/Core/Link.php b/core/lib/Drupal/Core/Link.php
index 35dddee4e95207f6a86fa8164e7a587768d42616..489f54f4f90e840f58864c9e08bcf10076385a7e 100644
--- a/core/lib/Drupal/Core/Link.php
+++ b/core/lib/Drupal/Core/Link.php
@@ -67,8 +67,7 @@ public function __construct($text, Url $url) {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
- * and FALSE enforces HTTP.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return static
*/
diff --git a/core/lib/Drupal/Core/Routing/UrlGenerator.php b/core/lib/Drupal/Core/Routing/UrlGenerator.php
index 4657fdf2c915309ae4738c8b642656a4321d6f78..ef59db92f02e87205cd5a38679c7700551ea6d8d 100644
--- a/core/lib/Drupal/Core/Routing/UrlGenerator.php
+++ b/core/lib/Drupal/Core/Routing/UrlGenerator.php
@@ -20,7 +20,6 @@
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
use Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface;
-use Drupal\Core\Site\Settings;
/**
* Generates URLs from route names and parameters.
@@ -48,13 +47,6 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
*/
protected $routeProcessor;
- /**
- * Whether both secure and insecure session cookies can be used simultaneously.
- *
- * @var bool
- */
- protected $mixedModeSessions;
-
/**
* Overrides characters that will not be percent-encoded in the path segment.
*
@@ -78,19 +70,16 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa
* The route processor.
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* The config factory.
- * @param \Drupal\Core\Site\Settings $settings
- * The read only settings.
* @param \Psr\Log\LoggerInterface $logger
* An optional logger for recording errors.
* @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
* A request stack object.
*/
- public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, Settings $settings, LoggerInterface $logger = NULL, RequestStack $request_stack) {
+ public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, LoggerInterface $logger = NULL, RequestStack $request_stack) {
parent::__construct($provider, $logger);
$this->pathProcessor = $path_processor;
$this->routeProcessor = $route_processor;
- $this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$allowed_protocols = $config->get('system.filter')->get('protocols') ?: array('http', 'https');
UrlHelper::setAllowedProtocols($allowed_protocols);
$this->requestStack = $request_stack;
@@ -190,7 +179,7 @@ public function generateFromRoute($name, $parameters = array(), $options = array
// Prepare an absolute URL by getting the correct scheme, host and port from
// the request context.
- if (isset($options['https']) && $this->mixedModeSessions) {
+ if (isset($options['https'])) {
$scheme = $options['https'] ? 'https' : 'http';
}
else {
@@ -262,7 +251,7 @@ public function generateFromPath($path = NULL, $options = array()) {
if ($options['query']) {
$path .= (strpos($path, '?') !== FALSE ? '&' : '?') . UrlHelper::buildQuery($options['query']);
}
- if (isset($options['https']) && $this->mixedModeSessions) {
+ if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$path = str_replace('http://', 'https://', $path);
}
@@ -282,7 +271,7 @@ public function generateFromPath($path = NULL, $options = array()) {
}
// The base_url might be rewritten from the language rewrite in domain mode.
if (!isset($options['base_url'])) {
- if (isset($options['https']) && $this->mixedModeSessions) {
+ if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $current_base_url);
$options['absolute'] = TRUE;
diff --git a/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php b/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php
index e80e193e4bc87705cbea9b91fa2c3ba369360c12..a30db190fb769704f31aa94f8e06a75adaf8667b 100644
--- a/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php
+++ b/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php
@@ -58,8 +58,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface {
* \Drupal::languageManager()->getCurrentLanguage(LanguageInterface::TYPE_URL).
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
- * only be enforced when the variable 'https' is set to TRUE.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'base_url': Only used internally, to modify the base URL when a language
* dependent URL requires so.
* - 'prefix': Only used internally, to modify the path when a language
@@ -132,8 +131,7 @@ public function getPathFromRoute($name, $parameters = array());
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
- * and FALSE enforces HTTP.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
* - 'prefix': Only used internally, to modify the path when a language
* dependent URL requires so.
*
diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php
index 2b37af4615d355400aa0f2eaca01154c0e3fcebc..62b40740607d9aebed65bd1875a70e10860f9e07 100644
--- a/core/lib/Drupal/Core/Session/SessionHandler.php
+++ b/core/lib/Drupal/Core/Session/SessionHandler.php
@@ -78,44 +78,15 @@ public function read($sid) {
// Handle the case of first time visitors and clients that don't store
// cookies (eg. web crawlers).
- $insecure_session_name = $this->sessionManager->getInsecureName();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
- if (empty($sid) || (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name))) {
+ if (empty($sid) || !$cookies->has($this->getName())) {
$user = new UserSession();
return '';
}
- // Otherwise, if the session is still active, we have a record of the
- // client's session in the database. If it's HTTPS then we are either have a
- // HTTPS session or we are about to log in so we check the sessions table
- // for an anonymous session with the non-HTTPS-only cookie. The session ID
- // that is in the user's cookie is hashed before being stored in the
- // database as a security measure. Thus, we have to hash it to match the
- // database.
- if ($this->requestStack->getCurrentRequest()->isSecure()) {
- // Try to load a session using the HTTPS-only secure session id.
- $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.ssid = :ssid", array(
- ':ssid' => Crypt::hashBase64($sid),
- ))->fetchAssoc();
- if (!$values) {
- // Fallback and try to load the anonymous non-HTTPS session. Use the
- // non-HTTPS session id as the key.
- if ($cookies->has($insecure_session_name)) {
- $insecure_session_id = $cookies->get($insecure_session_name);
- $args = array(':sid' => Crypt::hashBase64($insecure_session_id));
- $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid AND s.uid = 0", $args)->fetchAssoc();
- if ($values) {
- $this->sessionSetObsolete($insecure_session_id);
- }
- }
- }
- }
- else {
- // Try to load a session using the non-HTTPS session id.
- $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
- ':sid' => Crypt::hashBase64($sid),
- ))->fetchAssoc();
- }
+ $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array(
+ ':sid' => Crypt::hashBase64($sid),
+ ))->fetchAssoc();
// We found the client's session record and they are an authenticated,
// active user.
@@ -158,42 +129,17 @@ public function write($sid, $value) {
return TRUE;
}
- // Either ssid or sid or both will be added from $key below.
$fields = array(
'uid' => $user->id(),
'hostname' => $this->requestStack->getCurrentRequest()->getClientIP(),
'session' => $value,
'timestamp' => REQUEST_TIME,
);
- // Use the session ID as 'sid' and an empty string as 'ssid' by default.
- // read() does not allow empty strings so that's a safe default.
- $key = array('sid' => Crypt::hashBase64($sid), 'ssid' => '');
- // On HTTPS connections, use the session ID as both 'sid' and 'ssid'.
- if ($this->requestStack->getCurrentRequest()->isSecure()) {
- $key['ssid'] = $key['sid'];
- // The "secure pages" setting allows a site to simultaneously use both
- // secure and insecure session cookies. If enabled and both cookies
- // are presented then use both keys. The session ID from the cookie is
- // hashed before being stored in the database as a security measure.
- if ($this->sessionManager->isMixedMode()) {
- $insecure_session_name = $this->sessionManager->getInsecureName();
- $cookies = $this->requestStack->getCurrentRequest()->cookies;
- if ($cookies->has($insecure_session_name)) {
- $key['sid'] = Crypt::hashBase64($cookies->get($insecure_session_name));
- }
- }
- }
- elseif ($this->sessionManager->isMixedMode()) {
- unset($key['ssid']);
- }
$this->connection->merge('sessions')
- ->keys($key)
+ ->keys(array('sid' => Crypt::hashBase64($sid)))
->fields($fields)
->execute();
- // Remove obsolete sessions.
- $this->cleanupObsoleteSessions();
-
// Likewise, do not update access time more than once per 180 seconds.
if ($user->isAuthenticated() && REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180)) {
/** @var \Drupal\user\UserStorageInterface $storage */
@@ -231,10 +177,9 @@ public function destroy($sid) {
if (!$this->sessionManager->isEnabled()) {
return TRUE;
}
- $is_https = $this->requestStack->getCurrentRequest()->isSecure();
// Delete session data.
$this->connection->delete('sessions')
- ->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($sid))
+ ->condition('sid', Crypt::hashBase64($sid))
->execute();
// Reset $_SESSION and $user to prevent a new session from being started
@@ -244,15 +189,6 @@ public function destroy($sid) {
// Unset the session cookies.
$this->deleteCookie($this->getName());
- if ($is_https) {
- $this->deleteCookie($this->sessionManager->getInsecureName(), FALSE);
- }
- elseif ($this->sessionManager->isMixedMode()) {
- $this->deleteCookie('S' . $this->getName(), TRUE);
- }
-
- // Remove obsolete sessions.
- $this->cleanupObsoleteSessions();
return TRUE;
}
@@ -277,37 +213,14 @@ public function gc($lifetime) {
*
* @param string $name
* Name of session cookie to delete.
- * @param bool $secure
- * Force the secure value of the cookie.
*/
- protected function deleteCookie($name, $secure = NULL) {
+ protected function deleteCookie($name) {
$cookies = $this->requestStack->getCurrentRequest()->cookies;
- if ($cookies->has($name) || (!$this->requestStack->getCurrentRequest()->isSecure() && $secure === TRUE)) {
+ if ($cookies->has($name)) {
$params = session_get_cookie_params();
- if ($secure !== NULL) {
- $params['secure'] = $secure;
- }
setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
$cookies->remove($name);
}
}
- /**
- * Mark a session for garbage collection upon session save.
- */
- protected function sessionSetObsolete($sid, $https = FALSE) {
- $this->obsoleteSessionIds[$sid] = $https ? 'ssid' : 'sid';
- }
-
- /**
- * Remove sessions marked for garbage collection.
- */
- protected function cleanupObsoleteSessions() {
- foreach ($this->obsoleteSessionIds as $sid => $key) {
- $this->connection->delete('sessions')
- ->condition($key, Crypt::hashBase64($sid))
- ->execute();
- }
- }
-
}
diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php
index 5bf7d10a14008bf7aadd04ecd6b729f276ffb483..157f303ae35bfcddb1fc7064e9968a18f45068b4 100644
--- a/core/lib/Drupal/Core/Session/SessionManager.php
+++ b/core/lib/Drupal/Core/Session/SessionManager.php
@@ -31,18 +31,10 @@
* necessary to subclass it at all. In order to reach the point where Drupal
* can use the Symfony session management unmodified, the code implemented
* here needs to be extracted either into a dedicated session handler proxy
- * (e.g. mixed mode SSL, sid-hashing) or relocated to the authentication
- * subsystem.
+ * (e.g. sid-hashing) or relocated to the authentication subsystem.
*/
class SessionManager extends NativeSessionStorage implements SessionManagerInterface {
- /**
- * Whether or not the session manager is operating in mixed mode SSL.
- *
- * @var bool
- */
- protected $mixedMode;
-
/**
* The request stack.
*
@@ -100,8 +92,6 @@ public function __construct(RequestStack $request_stack, Connection $connection,
parent::__construct($options, $write_check_handler, $metadata_bag);
- $this->setMixedMode($settings->get('mixed_mode_sessions', FALSE));
-
// @todo When not using the Symfony Session object, the list of bags in the
// NativeSessionStorage will remain uninitialized. This will lead to
// errors in NativeSessionHandler::loadSession. Remove this after
@@ -121,10 +111,8 @@ public function start() {
return $this->started;
}
- $is_https = $this->requestStack->getCurrentRequest()->isSecure();
$cookies = $this->requestStack->getCurrentRequest()->cookies;
- $insecure_session_name = $this->getInsecureName();
- if (($cookies->has($this->getName()) && ($session_name = $cookies->get($this->getName()))) || ($is_https && $this->isMixedMode() && ($cookies->has($insecure_session_name) && ($session_name = $cookies->get($insecure_session_name))))) {
+ if ($cookies->get($this->getName())) {
// If a session cookie exists, initialize the session. Otherwise the
// session is only started on demand in save(), making
// anonymous users not use a session cookie unless something is stored in
@@ -144,10 +132,6 @@ public function start() {
// default php session id instead of generating a custom one:
// https://www.drupal.org/node/2238561
$this->setId(Crypt::randomBytesBase64());
- if ($is_https && $this->isMixedMode()) {
- $session_id = Crypt::randomBytesBase64();
- $cookies->set($insecure_session_name, $session_id);
- }
// Initialize the session global and attach the Symfony session bags.
$_SESSION = array();
@@ -214,13 +198,6 @@ public function save() {
// started.
if (!$this->getSaveHandler()->isActive()) {
$this->startNow();
- if ($this->requestStack->getCurrentRequest()->isSecure() && $this->isMixedMode()) {
- $insecure_session_name = $this->getInsecureName();
- $params = session_get_cookie_params();
- $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
- $cookie_params = $this->requestStack->getCurrentRequest()->cookies;
- setcookie($insecure_session_name, $cookie_params->get($insecure_session_name), $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
- }
}
// Write the session data.
parent::save();
@@ -246,22 +223,6 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
throw new \InvalidArgumentException('The optional parameters $destroy and $lifetime of SessionManager::regenerate() are not supported currently');
}
- $is_https = $this->requestStack->getCurrentRequest()->isSecure();
- $cookies = $this->requestStack->getCurrentRequest()->cookies;
- $insecure_session_id = '';
-
- if ($is_https && $this->isMixedMode()) {
- $insecure_session_name = $this->getInsecureName();
- $params = session_get_cookie_params();
- $insecure_session_id = Crypt::randomBytesBase64();
- // If a session cookie lifetime is set, the session will expire
- // $params['lifetime'] seconds from the current request. If it is not set,
- // it will expire when the browser is closed.
- $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
- setcookie($insecure_session_name, $insecure_session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']);
- $cookies->set($insecure_session_name, $insecure_session_id);
- }
-
if ($this->isStarted()) {
$old_session_id = $this->getId();
}
@@ -273,7 +234,7 @@ public function regenerate($destroy = FALSE, $lifetime = NULL) {
$params = session_get_cookie_params();
$expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
setcookie($this->getName(), $this->getId(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']);
- $this->migrateStoredSession($old_session_id, $is_https, $insecure_session_id);
+ $this->migrateStoredSession($old_session_id);
}
if (!$this->isStarted()) {
@@ -323,27 +284,6 @@ public function enable() {
return $this;
}
- /**
- * {@inheritdoc}
- */
- public function isMixedMode() {
- return $this->mixedMode;
- }
-
- /**
- * {@inheritdoc}
- */
- public function setMixedMode($mixed_mode) {
- $this->mixedMode = (bool) $mixed_mode;
- }
-
- /**
- * {@inheritdoc}
- */
- public function getInsecureName() {
- return substr($this->getName(), 1);
- }
-
/**
* Returns whether the current PHP process runs on CLI.
*
@@ -401,25 +341,12 @@ protected function getSessionDataMask() {
* @param string $old_session_id
* The old session id. The new session id is $this->getId() unless
* $new_insecure_session_id is not empty.
- * @param bool $is_https
- * Whether this is a HTTPS request.
- * @param string $new_insecure_session_id
- * If this is a HTTPS request and we are in mixed mode, this is the new
- * insecure session id. The secure session id is $this->getId().
*/
- protected function migrateStoredSession($old_session_id, $is_https, $new_insecure_session_id) {
+ protected function migrateStoredSession($old_session_id) {
$fields = array('sid' => Crypt::hashBase64($this->getId()));
- if ($is_https) {
- $fields['ssid'] = $fields['sid'];
- // If the "secure pages" setting is enabled, use the newly-created
- // insecure session identifier as the regenerated sid.
- if ($this->isMixedMode()) {
- $fields['sid'] = Crypt::hashBase64($new_insecure_session_id);
- }
- }
$this->connection->update('sessions')
->fields($fields)
- ->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($old_session_id))
+ ->condition('sid', Crypt::hashBase64($old_session_id))
->execute();
}
diff --git a/core/lib/Drupal/Core/Session/SessionManagerInterface.php b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
index b620c6630d2b4e478c45df8bbddb840fea4242a5..c86fb7df64769d993a6625e14e1d8576b93ffe3c 100644
--- a/core/lib/Drupal/Core/Session/SessionManagerInterface.php
+++ b/core/lib/Drupal/Core/Session/SessionManagerInterface.php
@@ -50,28 +50,4 @@ public function disable();
*/
public function enable();
- /**
- * Returns whether mixed mode SSL sessions are enabled in the session manager.
- *
- * @return bool
- * Value of the mixed mode SSL sessions flag.
- */
- public function isMixedMode();
-
- /**
- * Enables or disables mixed mode SSL sessions in the session manager.
- *
- * @param bool $mixed_mode
- * New value for the mixed mode SSL sessions flag.
- */
- public function setMixedMode($mixed_mode);
-
- /**
- * Returns the name of the insecure session when operating in mixed mode SSL.
- *
- * @return string
- * The name of the insecure session.
- */
- public function getInsecureName();
-
}
diff --git a/core/lib/Drupal/Core/Url.php b/core/lib/Drupal/Core/Url.php
index 39ce1251b3db32e0db233d25509d6abc227eeb92..999f4477dd9c3ab2282259ba8afe909ee9ae7fb7 100644
--- a/core/lib/Drupal/Core/Url.php
+++ b/core/lib/Drupal/Core/Url.php
@@ -120,8 +120,7 @@ class Url {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
- * and FALSE enforces HTTP.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @see static::fromRoute()
* @see static::fromUri()
@@ -161,8 +160,7 @@ public function __construct($route_name, $route_parameters = array(), $options =
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
- * and FALSE enforces HTTP.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for a routed (internal to Drupal) URL.
@@ -216,8 +214,7 @@ public static function fromRouteMatch(RouteMatchInterface $route_match) {
* current language for the language type LanguageInterface::TYPE_URL.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS
- * and FALSE enforces HTTP.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return \Drupal\Core\Url
* A new Url object for an unrouted (non-Drupal) URL.
diff --git a/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php b/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php
index c1caa44ef860a106b556f960fc980219384980a4..d224a4799e5b0ed7432363e4f2995dc90ecc0bb7 100644
--- a/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php
+++ b/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php
@@ -44,8 +44,7 @@ interface UnroutedUrlAssemblerInterface {
* displayed outside the site, such as in an RSS feed.
* - 'https': Whether this URL should point to a secure location. If not
* defined, the current scheme is used, so the user stays on HTTP or HTTPS
- * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can
- * only be enforced when the variable 'https' is set to TRUE.
+ * respectively. TRUE enforces HTTPS and FALSE enforces HTTP.
*
* @return
* A string containing a relative or absolute URL.
diff --git a/core/modules/language/src/HttpKernel/PathProcessorLanguage.php b/core/modules/language/src/HttpKernel/PathProcessorLanguage.php
index c3a6a9fc616b801f9de945e25807cdfa3671867c..f1402b56cf2419a2c154865a773248f429c3f6f4 100644
--- a/core/modules/language/src/HttpKernel/PathProcessorLanguage.php
+++ b/core/modules/language/src/HttpKernel/PathProcessorLanguage.php
@@ -11,7 +11,6 @@
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\PathProcessor\InboundPathProcessorInterface;
use Drupal\Core\PathProcessor\OutboundPathProcessorInterface;
-use Drupal\Core\Site\Settings;
use Drupal\language\ConfigurableLanguageManagerInterface;
use Drupal\language\LanguageNegotiatorInterface;
use Symfony\Component\HttpFoundation\Request;
@@ -29,13 +28,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*/
protected $config;
- /**
- * Whether both secure and insecure session cookies can be used simultaneously.
- *
- * @var bool
- */
- protected $mixedModeSessions;
-
/**
* Language manager for retrieving the url language type.
*
@@ -69,8 +61,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
*
* @param \Drupal\Core\Config\ConfigFactoryInterface $config
* A config factory object for retrieving configuration settings.
- * @param \Drupal\Core\Site\Settings $settings
- * The settings instance.
* @param \Drupal\language\ConfigurableLanguageManagerInterface $language_manager
* The configurable language manager.
* @param \Drupal\language\LanguageNegotiatorInterface
@@ -78,9 +68,8 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa
* @param \Drupal\Core\Session\AccountInterface $current_user
* The current active user.
*/
- public function __construct(ConfigFactoryInterface $config, Settings $settings, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
+ public function __construct(ConfigFactoryInterface $config, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) {
$this->config = $config;
- $this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE);
$this->languageManager = $language_manager;
$this->negotiator = $negotiator;
$this->negotiator->setCurrentUser($current_user);
@@ -115,8 +104,6 @@ public function processOutbound($path, &$options = array(), Request $request = N
if (!isset($this->processors[$scope])) {
$this->initProcessors($scope);
}
- // Execute outbound language processors.
- $options['mixed_mode_sessions'] = $this->mixedModeSessions;
foreach ($this->processors[$scope] as $instance) {
$path = $instance->processOutbound($path, $options, $request);
}
diff --git a/core/modules/language/src/LanguageServiceProvider.php b/core/modules/language/src/LanguageServiceProvider.php
index be89900c1635487ff8b15e7226fd27edfc0fad50..d7c4dddb3fa4895646cd1c1bd5a99a7a8a094cc6 100644
--- a/core/modules/language/src/LanguageServiceProvider.php
+++ b/core/modules/language/src/LanguageServiceProvider.php
@@ -37,7 +37,6 @@ public function register(ContainerBuilder $container) {
->addTag('path_processor_inbound', array('priority' => 300))
->addTag('path_processor_outbound', array('priority' => 100))
->addArgument(new Reference('config.factory'))
- ->addArgument(new Reference('settings'))
->addArgument(new Reference('language_manager'))
->addArgument(new Reference('language_negotiator'))
->addArgument(new Reference('current_user'));
diff --git a/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php b/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php
index d84bee48acae13b9688eaf5c5ad88ec355c18885..b76b1b18cd55909bff41f4bca785e743997ee1d8 100644
--- a/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php
+++ b/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php
@@ -169,7 +169,7 @@ public function processOutbound($path, &$options = array(), Request $request = N
$options['base_url'] .= ':' . $port;
}
- if (isset($options['https']) && !empty($options['mixed_mode_sessions'])) {
+ if (isset($options['https'])) {
if ($options['https'] === TRUE) {
$options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
}
diff --git a/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php b/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php
index 440ee364975d2c5fe01f48cc8063ede9e8fb77fa..fb4a3bbab23c6dcaa2cb0ae54b362a1892c1a6c3 100644
--- a/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php
+++ b/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php
@@ -468,13 +468,9 @@ function testLanguageDomain() {
$this->assertEqual($italian_url, $correct_link, format_string('The _url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
// Test HTTPS via options.
- $this->settingsSet('mixed_mode_sessions', TRUE);
- $this->rebuildContainer();
-
$italian_url = _url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => ''));
$correct_link = 'https://' . $link;
$this->assertTrue($italian_url == $correct_link, format_string('The _url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
- $this->settingsSet('mixed_mode_sessions', FALSE);
// Test HTTPS via current URL scheme.
$request = Request::create('', 'GET', array(), array(), array(), array('HTTPS' => 'on'));
diff --git a/core/modules/system/src/Tests/Session/SessionHttpsTest.php b/core/modules/system/src/Tests/Session/SessionHttpsTest.php
index 06e0e19aa6502139653054a677d1ad81b9191d07..9af167b51299959e9fd17336a29d2a696cddcb41 100644
--- a/core/modules/system/src/Tests/Session/SessionHttpsTest.php
+++ b/core/modules/system/src/Tests/Session/SessionHttpsTest.php
@@ -64,7 +64,7 @@ protected function testHttpsSession() {
// Check insecure cookie is not set.
$this->assertFalse(isset($this->cookies[$insecure_session_name]));
$ssid = $this->cookies[$secure_session_name]['value'];
- $this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.');
+ $this->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.');
$cookie = $secure_session_name . '=' . $ssid;
// Verify that user is logged in on secure URL.
@@ -109,196 +109,11 @@ protected function testHttpsSession() {
$this->cookies = array();
}
- /**
- * Tests sessions in SSL mixed mode.
- */
- protected function testMixedModeSslSession() {
- if ($this->request->isSecure()) {
- // The functionality does not make sense when running on HTTPS.
- return;
- }
- else {
- $secure_session_name = 'S' . $this->getSessionName();
- $insecure_session_name = $this->getSessionName();
- }
-
- // Enable secure pages.
- $this->settingsSet('mixed_mode_sessions', TRUE);
- // Write that value also into the test settings.php file.
- $settings['settings']['mixed_mode_sessions'] = (object) array(
- 'value' => TRUE,
- 'required' => TRUE,
- );
- $this->writeSettings($settings);
-
- $user = $this->drupalCreateUser(array('access administration pages'));
-
- $this->curlClose();
- // Start an anonymous session on the insecure site.
- $session_data = $this->randomMachineName();
- $this->drupalGet('session-test/set/' . $session_data);
- // Check secure cookie on insecure page.
- $this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.');
- // Check insecure cookie on insecure page.
- $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
-
- // Store the anonymous cookie so we can validate that its session is killed
- // after login.
- $anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value'];
-
- // Check that password request form action is not secure.
- $this->drupalGet('user/password');
- $form = $this->xpath('//form[@id="user-pass"]');
- $this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure');
- $form[0]['action'] = $this->httpsUrl('user/login');
-
- // Check that user login form action is secure.
- $this->drupalGet('user/login');
- $form = $this->xpath('//form[@id="user-login-form"]');
- $this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure');
- $form[0]['action'] = $this->httpsUrl('user/login');
-
- $edit = array(
- 'name' => $user->getUsername(),
- 'pass' => $user->pass_raw,
- );
- $this->drupalPostForm(NULL, $edit, t('Log in'));
- // Check secure cookie on secure page.
- $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute');
- // Check insecure cookie on secure page.
- $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute');
-
- $sid = $this->cookies[$insecure_session_name]['value'];
- $ssid = $this->cookies[$secure_session_name]['value'];
- $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs');
- $cookies = array(
- 'http' => $insecure_session_name . '=' . $sid,
- 'https' => $secure_session_name . '=' . $ssid,
- );
-
- // Test that session data saved before login is still available on the
- // authenticated session.
- $this->drupalGet('session-test/get');
- $this->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.');
-
- foreach ($cookies as $cookie_key => $cookie) {
- foreach (array('http' => 'admin/config', 'https' => $this->httpsUrl('admin/config')) as $url_key => $url) {
- $this->curlClose();
- // The HTTPS setting needs to be set correctly on the request for the
- // URL generator to work.
- $this->request->server->set('HTTPS', $url_key == 'https' ? 'on' : 'off');
-
- $this->drupalGet($url, array(), array('Cookie: ' . $cookie));
- if ($cookie_key == $url_key) {
- $this->assertText(t('Configuration'));
- $this->assertResponse(200);
- }
- else {
- $this->assertNoText(t('Configuration'));
- $this->assertResponse(403);
- }
- }
- }
-
- // Test that session data saved before login is not available using the
- // pre-login anonymous cookie.
- $this->cookies = array();
- $this->drupalGet('session-test/get', array(), array('Cookie: ' . $anonymous_cookie));
- $this->assertNoText($session_data, 'Initial anonymous session is inactive after login.');
-
- // Clear browser cookie jar.
- $this->cookies = array();
-
- // Start an anonymous session on the secure site.
- $this->drupalGet($this->httpsUrl('session-test/set/1'));
-
- // Mock a login to the secure site using the secure session cookie.
- $this->drupalGet('user/login');
- $form = $this->xpath('//form[@id="user-login-form"]');
- $form[0]['action'] = $this->httpsUrl('user/login');
- $this->drupalPostForm(NULL, $edit, t('Log in'));
-
- // Test that the user is also authenticated on the insecure site.
- $this->drupalGet("user/" . $user->id() . "/edit");
- $this->assertResponse(200);
- }
-
- /**
- * Ensure that a CSRF form token is shared in SSL mixed mode.
- */
- protected function testCsrfTokenWithMixedModeSsl() {
- if ($this->request->isSecure()) {
- $secure_session_name = $this->getSessionName();
- $insecure_session_name = substr($this->getSessionName(), 1);
- }
- else {
- $secure_session_name = 'S' . $this->getSessionName();
- $insecure_session_name = $this->getSessionName();
- }
-
- // Enable mixed mode SSL.
- $this->settingsSet('mixed_mode_sessions', TRUE);
- // Write that value also into the test settings.php file.
- $settings['settings']['mixed_mode_sessions'] = (object) array(
- 'value' => TRUE,
- 'required' => TRUE,
- );
- $this->writeSettings($settings);
-
- $user = $this->drupalCreateUser(array('access administration pages'));
-
- // Login using the HTTPS user-login form.
- $this->drupalGet('user/login');
- $form = $this->xpath('//form[@id="user-login-form"]');
- $form[0]['action'] = $this->httpsUrl('user/login');
- $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw);
- $this->drupalPostForm(NULL, $edit, t('Log in'));
-
- // Collect session id cookies.
- $sid = $this->cookies[$insecure_session_name]['value'];
- $ssid = $this->cookies[$secure_session_name]['value'];
- $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs');
-
- // Retrieve the form via HTTP.
- $this->curlClose();
- $this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $insecure_session_name . '=' . $sid));
- $http_token = $this->getFormToken();
-
- // Verify that submitting form values via HTTPS to a form originally
- // retrieved over HTTP works.
- $form = $this->xpath('//form[@id="session-test-form"]');
- $form[0]['action'] = $this->httpsUrl('session-test/form');
- $edit = array('input' => $this->randomMachineName(32));
- $this->curlClose();
- $this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $secure_session_name . '=' . $ssid));
- $this->assertText(String::format('Ok: @input', array('@input' => $edit['input'])));
-
- // Retrieve the same form via HTTPS.
- $this->curlClose();
- $this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $secure_session_name . '=' . $ssid));
- $https_token = $this->getFormToken();
-
- // Verify that CSRF token values are the same for a form regardless of
- // whether it was accessed via HTTP or HTTPS when SSL mixed mode is enabled.
- $this->assertEqual($http_token, $https_token, 'Form token is the same on HTTP as well as HTTPS form');
- }
-
- /**
- * Return the token of the current form.
- */
- protected function getFormToken() {
- $token_fields = $this->xpath('//input[@name="form_token"]');
- $this->assertEqual(count($token_fields), 1, 'One form token field on the page');
- return (string) $token_fields[0]['value'];
- }
-
/**
* Test that there exists a session with two specific session IDs.
*
* @param $sid
* The insecure session ID to search for.
- * @param $ssid
- * The secure session ID to search for.
* @param $assertion_text
* The text to display when we perform the assertion.
*
@@ -306,12 +121,11 @@ protected function getFormToken() {
* The result of assertTrue() that there's a session in the system that
* has the given insecure and secure session IDs.
*/
- protected function assertSessionIds($sid, $ssid, $assertion_text) {
+ protected function assertSessionIds($sid, $assertion_text) {
$args = array(
':sid' => Crypt::hashBase64($sid),
- ':ssid' => !empty($ssid) ? Crypt::hashBase64($ssid) : '',
);
- return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text);
+ return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid', $args)->fetchField(), $assertion_text);
}
/**
diff --git a/core/modules/system/system.install b/core/modules/system/system.install
index 108327a67ef0da380ac21f4663c60ed53c3483fd..8768f3dfe7e2de1816c077d71888db86606c5851 100644
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -924,13 +924,6 @@ function system_schema() {
'length' => 128,
'not null' => TRUE,
),
- 'ssid' => array(
- 'description' => "Secure session ID (hashed). The value is generated by Drupal's session handlers.",
- 'type' => 'varchar',
- 'length' => 128,
- 'not null' => TRUE,
- 'default' => '',
- ),
'hostname' => array(
'description' => 'The IP address that last used this session ID (sid).',
'type' => 'varchar',
@@ -953,12 +946,10 @@ function system_schema() {
),
'primary key' => array(
'sid',
- 'ssid',
),
'indexes' => array(
'timestamp' => array('timestamp'),
'uid' => array('uid'),
- 'ssid' => array('ssid'),
),
'foreign keys' => array(
'session_user' => array(
diff --git a/core/modules/system/system.module b/core/modules/system/system.module
index 17e88f393dadda23357d355e5377d4dc08fcab12..4eaf7bb13b2cced65c9e2a639a525bdde3e77585 100644
--- a/core/modules/system/system.module
+++ b/core/modules/system/system.module
@@ -432,8 +432,6 @@ function system_authorized_init($callback, $file, $arguments = array(), $page_ti
*/
function system_authorized_get_url(array $options = array()) {
global $base_url;
- // Force HTTPS if available, regardless of what the caller specifies.
- $options['https'] = TRUE;
// Prefix with $base_url so url() treats it as an external link.
$url = Url::fromUri('base://core/authorize.php');
$url_options = $url->getOptions();
diff --git a/core/modules/system/tests/modules/session_test/session_test.module b/core/modules/system/tests/modules/session_test/session_test.module
index c618babd9794e025226561d11ad8e3a3e4f1a1f1..0fb2ae423a48ce1058daeef886ac1bfbd6c8c772 100644
--- a/core/modules/system/tests/modules/session_test/session_test.module
+++ b/core/modules/system/tests/modules/session_test/session_test.module
@@ -10,10 +10,3 @@ function session_test_user_login($account) {
exit;
}
}
-
-/**
- * Implements hook_form_FORM_ID_alter().
- */
-function session_test_form_user_login_form_alter(&$form) {
- $form['#https'] = TRUE;
-}
diff --git a/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php b/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php
index ef0a5286efea745397e741705d938d7fd05e5ea7..f2a8cecfeef317e3fdafed58bf29c582487e5dc9 100644
--- a/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php
+++ b/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php
@@ -13,7 +13,6 @@
use Drupal\Core\PathProcessor\PathProcessorDecode;
use Drupal\Core\PathProcessor\PathProcessorFront;
use Drupal\Core\PathProcessor\PathProcessorManager;
-use Drupal\Core\Site\Settings;
use Drupal\language\HttpKernel\PathProcessorLanguage;
use Drupal\language\Plugin\LanguageNegotiation\LanguageNegotiationUrl;
use Symfony\Component\HttpFoundation\Request;
@@ -151,7 +150,7 @@ function testProcessInbound() {
$alias_processor = new PathProcessorAlias($alias_manager);
$decode_processor = new PathProcessorDecode();
$front_processor = new PathProcessorFront($config_factory_stub);
- $language_processor = new PathProcessorLanguage($config_factory_stub, new Settings(array()), $this->languageManager, $negotiator, $current_user);
+ $language_processor = new PathProcessorLanguage($config_factory_stub, $this->languageManager, $negotiator, $current_user);
// First, test the processor manager with the processors in the incorrect
// order. The alias processor will run before the language processor, meaning
diff --git a/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php b/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php
index b3a044734be204fa7db967b31a0d9a168915d177..2e0b3dcb429d5549cfa5cc397f8b8ed8639aa791 100644
--- a/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php
+++ b/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php
@@ -11,7 +11,6 @@
use Drupal\Core\PathProcessor\PathProcessorManager;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Routing\UrlGenerator;
-use Drupal\Core\Site\Settings;
use Drupal\Tests\UnitTestCase;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\RequestStack;
@@ -32,13 +31,6 @@ class UrlGeneratorTest extends UnitTestCase {
*/
protected $generator;
- /**
- * A second url generator to test, set to assume mixed-mode sessions.
- *
- * @var \Drupal\Core\Routing\UrlGenerator
- */
- protected $generatorMixedMode;
-
/**
* The alias manager.
*
@@ -137,14 +129,9 @@ protected function setUp() {
$config_factory_stub = $this->getConfigFactoryStub(array('system.filter' => array('protocols' => array('http', 'https'))));
- $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array()), NULL, $this->requestStack);
+ $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, NULL, $this->requestStack);
$generator->setContext($context);
$this->generator = $generator;
-
- // Second generator for mixed-mode sessions.
- $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array('mixed_mode_sessions' => TRUE)), NULL, $this->requestStack);
- $generator->setContext($context);
- $this->generatorMixedMode = $generator;
}
/**
@@ -310,17 +297,12 @@ public function testUrlGenerationWithHttpsRequirement() {
$url = $this->generator->generate('test_4', array(), TRUE);
$this->assertEquals('https://localhost/test/four', $url);
- $this->routeProcessorManager->expects($this->exactly(2))
+ $this->routeProcessorManager->expects($this->exactly(1))
->method('processOutbound')
->with($this->anything());
$options = array('absolute' => TRUE, 'https' => TRUE);
- // Mixed-mode sessions are not enabled, so the https option is ignored.
$url = $this->generator->generateFromRoute('test_1', array(), $options);
- $this->assertEquals('http://localhost/hello/world', $url);
-
- // Mixed-mode sessions are enabled, so the https option is obeyed.
- $url = $this->generatorMixedMode->generateFromRoute('test_1', array(), $options);
$this->assertEquals('https://localhost/hello/world', $url);
}
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index cc2eb327d62542fdb6d8c5673167fe982d6b319d..6d5f54fc3a5a3227e72d3a84c8ecb4deeed7d895 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -413,14 +413,6 @@
*/
# $settings['allow_authorize_operations'] = FALSE;
-/**
- * Mixed-mode sessions:
- *
- * Set to TRUE to create both secure and insecure sessions when using HTTPS.
- * Defaults to FALSE.
- */
-# $settings['mixed_mode_sessions'] = TRUE;
-
/**
* Default mode for for directories and files written by Drupal.
*