Newer
Older
<?php
Dave Cohen
committed
/**
* This file is a replacement for Drupal's session.inc. Although not
* truly a replacement, as we include the default session.inc to do the heavy
* lifting.
*
* In this file we handle some special cases for iframe canvas pages by faking
* cookies in cases where browsers do not accept them. We do this here
* because we must set session_id early in the bootstrap process, and Drupal
* gives us no way to easily do that.
Dave Cohen
committed
*/
// Default session handler functions.
require('includes/session.inc');
Dave Cohen
committed
// When Drupal's bootstrap includes this file, we have a chance to spoof a
// session cookie.
if (isset($_COOKIE[session_name()])) {
// Forget anything we thought we knew about session.
fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
}
elseif (fb_settings(FB_SETTINGS_TYPE) &&
fb_settings(FB_SETTINGS_TYPE) != 'connect') {
$session_id = NULL;
if ($token = fb_settings(FB_SETTINGS_TOKEN)) {
// Learned token from signed_request or session.
$session_id = md5($token);
Dave Cohen
committed
fb_settings(FB_SETTINGS_CB_SESSION, FALSE);
}
elseif (isset($_REQUEST['signed_request']) || isset($_REQUEST['session'])) {
// Signed request, but no token means not logged in.
Dave Cohen
committed
// Parse session from URL.
if ($session_id === NULL && function_exists('_fb_settings_parse')) {
$session_id = _fb_settings_parse(FB_SETTINGS_CB_SESSION);
}
if (!$session_id) {
// Generating an id and embedding in the URL will make a session where there would otherwise be none.
$session_id = uniqid(mt_rand(), TRUE);
// Embed session in URL.
fb_settings(FB_SETTINGS_CB_SESSION, $session_id);
}
}
Dave Cohen
committed
// Spoof a cookie so Drupal's session.inc works as expected.
if ($session_id) {
session_id($session_id);
$_COOKIE[session_name()] = session_id();
$_COOKIE['_fb_session_cookie_fake'] = TRUE;
Dave Cohen
committed
$GLOBALS['_fb_session_id'] = $session_id;
}
Dave Cohen
committed
/**
* When spoofing cookies, sess_regenerate causes problems when it changes the
* session id. Here we undo that change. Called from fb_user.module.
function fb_sess_regenerate_hack() {
Dave Cohen
committed
if (isset($GLOBALS['_fb_session_id'])) {
$session_id = $GLOBALS['_fb_session_id'];
db_query("UPDATE {sessions} SET sid = '%s' WHERE sid = '%s'", $session_id, session_id());
session_id($session_id);
}