Skip to content
Normal view History Permalink
fb_session.inc 2.27 KiB
Newer Older
Dave Cohen's avatar
Numerous changes to Drupal for Facebook. Significant updates. Manual...
Dave Cohen committed
1 
<?php
Dave Cohen's avatar
reworking session and user management. Changes bring this branch into sync with 5.x branch.  
Dave Cohen committed
2 
/**
Dave Cohen's avatar
code cleanup inspired by coder.module  
Dave Cohen committed
3 
 * @file
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
4 5 6 7 8 9 10 11 
 * This file is a replacement for Drupal's session.inc.  Although not
 * truly a replacement, as we include the default session.inc to do the heavy
 * lifting.
 *
 * In this file we handle some special cases for iframe canvas pages by faking
 * cookies in cases where browsers do not accept them.  We do this here
 * because we must set session_id early in the bootstrap process, and Drupal
 * gives us no way to easily do that.
Dave Cohen's avatar
reworking session and user management. Changes bring this branch into sync with 5.x branch.  
Dave Cohen committed
12 
 */
Dave Cohen's avatar
Numerous changes to Drupal for Facebook. Significant updates. Manual...
Dave Cohen committed
13
Dave Cohen's avatar
numerous changes, especially to session management and url rewriting....  
Dave Cohen committed
14 15 
// Default session handler functions.
require('includes/session.inc');
Dave Cohen's avatar
reworking session and user management. Changes bring this branch into sync with 5.x branch.  
Dave Cohen committed
16
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
17 18 
// When Drupal's bootstrap includes this file, we have a chance to spoof a
// session cookie.
Dave Cohen's avatar
cookies may be set even when third-party cookies disabled.  
Dave Cohen committed
19 
if (isset($_COOKIE[session_name()])) {
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
20 21 22 23 24 25 26 27 28 
  // Forget anything we thought we knew about session.
  fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
}
elseif (fb_settings(FB_SETTINGS_TYPE) &&
        fb_settings(FB_SETTINGS_TYPE) != 'connect') {
  $session_id = NULL;
  if ($token = fb_settings(FB_SETTINGS_TOKEN)) {
    // Learned token from signed_request or session.
    $session_id = md5($token);
Dave Cohen's avatar
#860930: A bunch of changes intended to better support browsers without third party cookies.  
Dave Cohen committed
29 
    fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
30 31 32 33 
  }
  elseif (isset($_REQUEST['signed_request']) || isset($_REQUEST['session'])) {
    // Signed request, but no token means not logged in.
Dave Cohen's avatar
#860930: A bunch of changes intended to better support browsers without third party cookies.  
Dave Cohen committed
34 35 36 37 38 39 40 41 42 43 44 
    // Parse session from URL.
    if ($session_id === NULL && function_exists('_fb_settings_parse')) {
      $session_id = _fb_settings_parse(FB_SETTINGS_CB_SESSION);
    }

    if (!$session_id) {
      // Generating an id and embedding in the URL will make a session where there would otherwise be none.
      $session_id = uniqid(mt_rand(), TRUE);
      // Embed session in URL.
      fb_settings(FB_SETTINGS_CB_SESSION, $session_id);
    }
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
45 46 
  }
Dave Cohen's avatar
#860930: A bunch of changes intended to better support browsers without third party cookies.  
Dave Cohen committed
47
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
48 49 50 51 52 
  // Spoof a cookie so Drupal's session.inc works as expected.
  if ($session_id) {
    session_id($session_id);
    $_COOKIE[session_name()] = session_id();
    $_COOKIE['_fb_session_cookie_fake'] = TRUE;
Dave Cohen's avatar
#860930: A bunch of changes intended to better support browsers without third party cookies.  
Dave Cohen committed
53 
    $GLOBALS['_fb_session_id'] = $session_id;
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
54 
  }
Dave Cohen's avatar
numerous changes, especially to session management and url rewriting....  
Dave Cohen committed
55 
}
Dave Cohen's avatar
reworking session and user management. Changes bring this branch into sync with 5.x branch.  
Dave Cohen committed
56
Dave Cohen's avatar
numerous changes, especially to session management and url rewriting....  
Dave Cohen committed
57 
/**
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
58 59 
 * When spoofing cookies, sess_regenerate causes problems when it changes the
 * session id.  Here we undo that change.  Called from fb_user.module.
Dave Cohen's avatar
numerous changes, especially to session management and url rewriting....  
Dave Cohen committed
60 
 */
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
61 
function fb_sess_regenerate_hack() {
Dave Cohen's avatar
#860930: A bunch of changes intended to better support browsers without third party cookies.  
Dave Cohen committed
62 63 
  if (isset($GLOBALS['_fb_session_id'])) {
    $session_id = $GLOBALS['_fb_session_id'];
Dave Cohen's avatar
attempt to work around third-party cookie issue by including session in URL.  
Dave Cohen committed
64 65 66 
    db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", $session_id, session_id());
    session_id($session_id);
  }
Dave Cohen's avatar
Fixed session handoff from drupal to facebook.  
Dave Cohen committed
67 
}