Commit 390a6767 authored by Aaron Wells's avatar Aaron Wells

Clear out duplicate session cookies created by calls to session_start()

Bug 1446036

Change-Id: I7f59b8c295a2ba6c2ffeca7bdab8899fef09bb0f
parent 6bc4db12
......@@ -553,6 +553,7 @@ function kill_children($username, $useragent) {
delete_records('sso_session',
'userid', $userid);
clear_duplicate_cookies();
return true;
}
......
......@@ -296,6 +296,9 @@ class Session {
else {
@session_start();
}
// Anytime you call session_start() more than once, PHP will usually
// send out a duplicate session header.
clear_duplicate_cookies();
}
/*
......@@ -332,6 +335,7 @@ class Session {
}
@session_start();
session_destroy();
clear_duplicate_cookies();
}
}
......@@ -434,6 +438,7 @@ function remove_user_sessions($userid) {
session_start();
}
clear_duplicate_cookies();
delete_records_select('usr_session', 'session IN (' . join(',', array_map('db_quote', $alive)) . ')');
}
......@@ -455,3 +460,33 @@ function remove_all_sessions() {
delete_records_select('usr_session', 'session != ?', array($sid));
}
/**
* Every time you call session_start(), PHP adds another
* identical session cookie to the response header. Do this
* enough times, and your response header becomes big enough
* to choke the web server.
*
* This method clears out the duplicate session cookies.
*/
function clear_duplicate_cookies() {
// If headers have already been sent, there's nothing we can do
if (headers_sent()) {
return;
}
$cookies = array();
foreach (headers_list() as $header) {
// Identify cookie headers
if (strpos($header, 'Set-Cookie:') === 0) {
$cookies[] = $header;
}
}
// Removes all cookie headers, not just the session one.
header_remove('Set-Cookie');
// Restore one copy of each cookie
foreach(array_unique($cookies) as $cookie) {
header($cookie, false);
}
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment