From 8d601c74b1422d8d1c88b5b4be2e98ae18741dca Mon Sep 17 00:00:00 2001 From: webchick Date: Mon, 1 Dec 2014 08:26:28 -0800 Subject: [PATCH] Issue #2342593 by znerol, grendzy, David_Rothstein: Remove mixed SSL support from core --- core/core.services.yml | 2 +- .../Form/FileTransferAuthorizeForm.php | 3 - core/lib/Drupal/Core/Form/FormBuilder.php | 4 +- core/lib/Drupal/Core/Link.php | 3 +- core/lib/Drupal/Core/Routing/UrlGenerator.php | 19 +- .../Core/Routing/UrlGeneratorInterface.php | 6 +- .../Drupal/Core/Session/SessionHandler.php | 103 +--------- .../Drupal/Core/Session/SessionManager.php | 83 +------- .../Core/Session/SessionManagerInterface.php | 24 --- core/lib/Drupal/Core/Url.php | 9 +- .../Utility/UnroutedUrlAssemblerInterface.php | 3 +- .../src/HttpKernel/PathProcessorLanguage.php | 15 +- .../language/src/LanguageServiceProvider.php | 1 - .../LanguageNegotiationUrl.php | 2 +- .../LanguageUILanguageNegotiationTest.php | 4 - .../src/Tests/Session/SessionHttpsTest.php | 192 +----------------- core/modules/system/system.install | 9 - core/modules/system/system.module | 2 - .../modules/session_test/session_test.module | 7 - .../Core/PathProcessor/PathProcessorTest.php | 3 +- .../Tests/Core/Routing/UrlGeneratorTest.php | 22 +- sites/default/default.settings.php | 8 - 22 files changed, 34 insertions(+), 490 deletions(-) diff --git a/core/core.services.yml b/core/core.services.yml index a6663b4f15c..08bec381268 100644 --- a/core/core.services.yml +++ b/core/core.services.yml @@ -495,7 +495,7 @@ services: - { name: service_collector, tag: route_filter, call: addRouteFilter } url_generator: class: Drupal\Core\Routing\UrlGenerator - arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@settings', '@logger.channel.default', '@request_stack'] + arguments: ['@router.route_provider', '@path_processor_manager', '@route_processor_manager', '@config.factory', '@logger.channel.default', '@request_stack'] calls: - [setContext, ['@?router.request_context']] unrouted_url_assembler: diff --git a/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php b/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php index 12a0572695f..c8ae6cb9289 100644 --- a/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php +++ b/core/lib/Drupal/Core/FileTransfer/Form/FileTransferAuthorizeForm.php @@ -52,9 +52,6 @@ class FileTransferAuthorizeForm extends FormBase { * {@inheritdoc} */ public function buildForm(array $form, FormStateInterface $form_state) { - // If possible, we want to post this form securely via HTTPS. - $form['#https'] = TRUE; - // Get all the available ways to transfer files. if (empty($_SESSION['authorize_filetransfer_info'])) { drupal_set_message($this->t('Unable to continue, no available methods of file transfer'), 'error'); diff --git a/core/lib/Drupal/Core/Form/FormBuilder.php b/core/lib/Drupal/Core/Form/FormBuilder.php index d2040505722..bf356001d6c 100644 --- a/core/lib/Drupal/Core/Form/FormBuilder.php +++ b/core/lib/Drupal/Core/Form/FormBuilder.php @@ -16,7 +16,6 @@ use Drupal\Core\Access\CsrfTokenGenerator; use Drupal\Core\DependencyInjection\ClassResolverInterface; use Drupal\Core\Extension\ModuleHandlerInterface; use Drupal\Core\Render\Element; -use Drupal\Core\Site\Settings; use Drupal\Core\Theme\ThemeManagerInterface; use Symfony\Component\EventDispatcher\EventDispatcherInterface; use Symfony\Component\HttpFoundation\RequestStack; @@ -694,8 +693,7 @@ class FormBuilder implements FormBuilderInterface, FormValidatorInterface, FormS // Special handling if we're on the top level form element. if (isset($element['#type']) && $element['#type'] == 'form') { - if (!empty($element['#https']) && Settings::get('mixed_mode_sessions', FALSE) && - !UrlHelper::isExternal($element['#action'])) { + if (!empty($element['#https']) && !UrlHelper::isExternal($element['#action'])) { global $base_root; // Not an external URL so ensure that it is secure. diff --git a/core/lib/Drupal/Core/Link.php b/core/lib/Drupal/Core/Link.php index 35dddee4e95..489f54f4f90 100644 --- a/core/lib/Drupal/Core/Link.php +++ b/core/lib/Drupal/Core/Link.php @@ -67,8 +67,7 @@ class Link { * current language for the language type LanguageInterface::TYPE_URL. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS - * and FALSE enforces HTTP. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * * @return static */ diff --git a/core/lib/Drupal/Core/Routing/UrlGenerator.php b/core/lib/Drupal/Core/Routing/UrlGenerator.php index 4657fdf2c91..ef59db92f02 100644 --- a/core/lib/Drupal/Core/Routing/UrlGenerator.php +++ b/core/lib/Drupal/Core/Routing/UrlGenerator.php @@ -20,7 +20,6 @@ use Drupal\Component\Utility\UrlHelper; use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\PathProcessor\OutboundPathProcessorInterface; use Drupal\Core\RouteProcessor\OutboundRouteProcessorInterface; -use Drupal\Core\Site\Settings; /** * Generates URLs from route names and parameters. @@ -48,13 +47,6 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa */ protected $routeProcessor; - /** - * Whether both secure and insecure session cookies can be used simultaneously. - * - * @var bool - */ - protected $mixedModeSessions; - /** * Overrides characters that will not be percent-encoded in the path segment. * @@ -78,19 +70,16 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa * The route processor. * @param \Drupal\Core\Config\ConfigFactoryInterface $config * The config factory. - * @param \Drupal\Core\Site\Settings $settings - * The read only settings. * @param \Psr\Log\LoggerInterface $logger * An optional logger for recording errors. * @param \Symfony\Component\HttpFoundation\RequestStack $request_stack * A request stack object. */ - public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, Settings $settings, LoggerInterface $logger = NULL, RequestStack $request_stack) { + public function __construct(RouteProviderInterface $provider, OutboundPathProcessorInterface $path_processor, OutboundRouteProcessorInterface $route_processor, ConfigFactoryInterface $config, LoggerInterface $logger = NULL, RequestStack $request_stack) { parent::__construct($provider, $logger); $this->pathProcessor = $path_processor; $this->routeProcessor = $route_processor; - $this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE); $allowed_protocols = $config->get('system.filter')->get('protocols') ?: array('http', 'https'); UrlHelper::setAllowedProtocols($allowed_protocols); $this->requestStack = $request_stack; @@ -190,7 +179,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa // Prepare an absolute URL by getting the correct scheme, host and port from // the request context. - if (isset($options['https']) && $this->mixedModeSessions) { + if (isset($options['https'])) { $scheme = $options['https'] ? 'https' : 'http'; } else { @@ -262,7 +251,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa if ($options['query']) { $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . UrlHelper::buildQuery($options['query']); } - if (isset($options['https']) && $this->mixedModeSessions) { + if (isset($options['https'])) { if ($options['https'] === TRUE) { $path = str_replace('http://', 'https://', $path); } @@ -282,7 +271,7 @@ class UrlGenerator extends ProviderBasedGenerator implements UrlGeneratorInterfa } // The base_url might be rewritten from the language rewrite in domain mode. if (!isset($options['base_url'])) { - if (isset($options['https']) && $this->mixedModeSessions) { + if (isset($options['https'])) { if ($options['https'] === TRUE) { $options['base_url'] = str_replace('http://', 'https://', $current_base_url); $options['absolute'] = TRUE; diff --git a/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php b/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php index e80e193e4bc..a30db190fb7 100644 --- a/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php +++ b/core/lib/Drupal/Core/Routing/UrlGeneratorInterface.php @@ -58,8 +58,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface { * \Drupal::languageManager()->getCurrentLanguage(LanguageInterface::TYPE_URL). * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can - * only be enforced when the variable 'https' is set to TRUE. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * - 'base_url': Only used internally, to modify the base URL when a language * dependent URL requires so. * - 'prefix': Only used internally, to modify the path when a language @@ -132,8 +131,7 @@ interface UrlGeneratorInterface extends VersatileGeneratorInterface { * current language for the language type LanguageInterface::TYPE_URL. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS - * and FALSE enforces HTTP. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * - 'prefix': Only used internally, to modify the path when a language * dependent URL requires so. * diff --git a/core/lib/Drupal/Core/Session/SessionHandler.php b/core/lib/Drupal/Core/Session/SessionHandler.php index 2b37af4615d..62b40740607 100644 --- a/core/lib/Drupal/Core/Session/SessionHandler.php +++ b/core/lib/Drupal/Core/Session/SessionHandler.php @@ -78,44 +78,15 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface { // Handle the case of first time visitors and clients that don't store // cookies (eg. web crawlers). - $insecure_session_name = $this->sessionManager->getInsecureName(); $cookies = $this->requestStack->getCurrentRequest()->cookies; - if (empty($sid) || (!$cookies->has($this->getName()) && !$cookies->has($insecure_session_name))) { + if (empty($sid) || !$cookies->has($this->getName())) { $user = new UserSession(); return ''; } - // Otherwise, if the session is still active, we have a record of the - // client's session in the database. If it's HTTPS then we are either have a - // HTTPS session or we are about to log in so we check the sessions table - // for an anonymous session with the non-HTTPS-only cookie. The session ID - // that is in the user's cookie is hashed before being stored in the - // database as a security measure. Thus, we have to hash it to match the - // database. - if ($this->requestStack->getCurrentRequest()->isSecure()) { - // Try to load a session using the HTTPS-only secure session id. - $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.ssid = :ssid", array( - ':ssid' => Crypt::hashBase64($sid), - ))->fetchAssoc(); - if (!$values) { - // Fallback and try to load the anonymous non-HTTPS session. Use the - // non-HTTPS session id as the key. - if ($cookies->has($insecure_session_name)) { - $insecure_session_id = $cookies->get($insecure_session_name); - $args = array(':sid' => Crypt::hashBase64($insecure_session_id)); - $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid AND s.uid = 0", $args)->fetchAssoc(); - if ($values) { - $this->sessionSetObsolete($insecure_session_id); - } - } - } - } - else { - // Try to load a session using the non-HTTPS session id. - $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array( - ':sid' => Crypt::hashBase64($sid), - ))->fetchAssoc(); - } + $values = $this->connection->query("SELECT u.*, s.* FROM {users_field_data} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE u.default_langcode = 1 AND s.sid = :sid", array( + ':sid' => Crypt::hashBase64($sid), + ))->fetchAssoc(); // We found the client's session record and they are an authenticated, // active user. @@ -158,42 +129,17 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface { return TRUE; } - // Either ssid or sid or both will be added from $key below. $fields = array( 'uid' => $user->id(), 'hostname' => $this->requestStack->getCurrentRequest()->getClientIP(), 'session' => $value, 'timestamp' => REQUEST_TIME, ); - // Use the session ID as 'sid' and an empty string as 'ssid' by default. - // read() does not allow empty strings so that's a safe default. - $key = array('sid' => Crypt::hashBase64($sid), 'ssid' => ''); - // On HTTPS connections, use the session ID as both 'sid' and 'ssid'. - if ($this->requestStack->getCurrentRequest()->isSecure()) { - $key['ssid'] = $key['sid']; - // The "secure pages" setting allows a site to simultaneously use both - // secure and insecure session cookies. If enabled and both cookies - // are presented then use both keys. The session ID from the cookie is - // hashed before being stored in the database as a security measure. - if ($this->sessionManager->isMixedMode()) { - $insecure_session_name = $this->sessionManager->getInsecureName(); - $cookies = $this->requestStack->getCurrentRequest()->cookies; - if ($cookies->has($insecure_session_name)) { - $key['sid'] = Crypt::hashBase64($cookies->get($insecure_session_name)); - } - } - } - elseif ($this->sessionManager->isMixedMode()) { - unset($key['ssid']); - } $this->connection->merge('sessions') - ->keys($key) + ->keys(array('sid' => Crypt::hashBase64($sid))) ->fields($fields) ->execute(); - // Remove obsolete sessions. - $this->cleanupObsoleteSessions(); - // Likewise, do not update access time more than once per 180 seconds. if ($user->isAuthenticated() && REQUEST_TIME - $user->getLastAccessedTime() > Settings::get('session_write_interval', 180)) { /** @var \Drupal\user\UserStorageInterface $storage */ @@ -231,10 +177,9 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface { if (!$this->sessionManager->isEnabled()) { return TRUE; } - $is_https = $this->requestStack->getCurrentRequest()->isSecure(); // Delete session data. $this->connection->delete('sessions') - ->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($sid)) + ->condition('sid', Crypt::hashBase64($sid)) ->execute(); // Reset $_SESSION and $user to prevent a new session from being started @@ -244,15 +189,6 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface { // Unset the session cookies. $this->deleteCookie($this->getName()); - if ($is_https) { - $this->deleteCookie($this->sessionManager->getInsecureName(), FALSE); - } - elseif ($this->sessionManager->isMixedMode()) { - $this->deleteCookie('S' . $this->getName(), TRUE); - } - - // Remove obsolete sessions. - $this->cleanupObsoleteSessions(); return TRUE; } @@ -277,37 +213,14 @@ class SessionHandler extends AbstractProxy implements \SessionHandlerInterface { * * @param string $name * Name of session cookie to delete. - * @param bool $secure - * Force the secure value of the cookie. */ - protected function deleteCookie($name, $secure = NULL) { + protected function deleteCookie($name) { $cookies = $this->requestStack->getCurrentRequest()->cookies; - if ($cookies->has($name) || (!$this->requestStack->getCurrentRequest()->isSecure() && $secure === TRUE)) { + if ($cookies->has($name)) { $params = session_get_cookie_params(); - if ($secure !== NULL) { - $params['secure'] = $secure; - } setcookie($name, '', REQUEST_TIME - 3600, $params['path'], $params['domain'], $params['secure'], $params['httponly']); $cookies->remove($name); } } - /** - * Mark a session for garbage collection upon session save. - */ - protected function sessionSetObsolete($sid, $https = FALSE) { - $this->obsoleteSessionIds[$sid] = $https ? 'ssid' : 'sid'; - } - - /** - * Remove sessions marked for garbage collection. - */ - protected function cleanupObsoleteSessions() { - foreach ($this->obsoleteSessionIds as $sid => $key) { - $this->connection->delete('sessions') - ->condition($key, Crypt::hashBase64($sid)) - ->execute(); - } - } - } diff --git a/core/lib/Drupal/Core/Session/SessionManager.php b/core/lib/Drupal/Core/Session/SessionManager.php index 5bf7d10a140..157f303ae35 100644 --- a/core/lib/Drupal/Core/Session/SessionManager.php +++ b/core/lib/Drupal/Core/Session/SessionManager.php @@ -31,18 +31,10 @@ use Symfony\Component\HttpFoundation\Session\Storage\NativeSessionStorage; * necessary to subclass it at all. In order to reach the point where Drupal * can use the Symfony session management unmodified, the code implemented * here needs to be extracted either into a dedicated session handler proxy - * (e.g. mixed mode SSL, sid-hashing) or relocated to the authentication - * subsystem. + * (e.g. sid-hashing) or relocated to the authentication subsystem. */ class SessionManager extends NativeSessionStorage implements SessionManagerInterface { - /** - * Whether or not the session manager is operating in mixed mode SSL. - * - * @var bool - */ - protected $mixedMode; - /** * The request stack. * @@ -100,8 +92,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter parent::__construct($options, $write_check_handler, $metadata_bag); - $this->setMixedMode($settings->get('mixed_mode_sessions', FALSE)); - // @todo When not using the Symfony Session object, the list of bags in the // NativeSessionStorage will remain uninitialized. This will lead to // errors in NativeSessionHandler::loadSession. Remove this after @@ -121,10 +111,8 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter return $this->started; } - $is_https = $this->requestStack->getCurrentRequest()->isSecure(); $cookies = $this->requestStack->getCurrentRequest()->cookies; - $insecure_session_name = $this->getInsecureName(); - if (($cookies->has($this->getName()) && ($session_name = $cookies->get($this->getName()))) || ($is_https && $this->isMixedMode() && ($cookies->has($insecure_session_name) && ($session_name = $cookies->get($insecure_session_name))))) { + if ($cookies->get($this->getName())) { // If a session cookie exists, initialize the session. Otherwise the // session is only started on demand in save(), making // anonymous users not use a session cookie unless something is stored in @@ -144,10 +132,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter // default php session id instead of generating a custom one: // https://www.drupal.org/node/2238561 $this->setId(Crypt::randomBytesBase64()); - if ($is_https && $this->isMixedMode()) { - $session_id = Crypt::randomBytesBase64(); - $cookies->set($insecure_session_name, $session_id); - } // Initialize the session global and attach the Symfony session bags. $_SESSION = array(); @@ -214,13 +198,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter // started. if (!$this->getSaveHandler()->isActive()) { $this->startNow(); - if ($this->requestStack->getCurrentRequest()->isSecure() && $this->isMixedMode()) { - $insecure_session_name = $this->getInsecureName(); - $params = session_get_cookie_params(); - $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; - $cookie_params = $this->requestStack->getCurrentRequest()->cookies; - setcookie($insecure_session_name, $cookie_params->get($insecure_session_name), $expire, $params['path'], $params['domain'], FALSE, $params['httponly']); - } } // Write the session data. parent::save(); @@ -246,22 +223,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter throw new \InvalidArgumentException('The optional parameters $destroy and $lifetime of SessionManager::regenerate() are not supported currently'); } - $is_https = $this->requestStack->getCurrentRequest()->isSecure(); - $cookies = $this->requestStack->getCurrentRequest()->cookies; - $insecure_session_id = ''; - - if ($is_https && $this->isMixedMode()) { - $insecure_session_name = $this->getInsecureName(); - $params = session_get_cookie_params(); - $insecure_session_id = Crypt::randomBytesBase64(); - // If a session cookie lifetime is set, the session will expire - // $params['lifetime'] seconds from the current request. If it is not set, - // it will expire when the browser is closed. - $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; - setcookie($insecure_session_name, $insecure_session_id, $expire, $params['path'], $params['domain'], FALSE, $params['httponly']); - $cookies->set($insecure_session_name, $insecure_session_id); - } - if ($this->isStarted()) { $old_session_id = $this->getId(); } @@ -273,7 +234,7 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter $params = session_get_cookie_params(); $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0; setcookie($this->getName(), $this->getId(), $expire, $params['path'], $params['domain'], $params['secure'], $params['httponly']); - $this->migrateStoredSession($old_session_id, $is_https, $insecure_session_id); + $this->migrateStoredSession($old_session_id); } if (!$this->isStarted()) { @@ -323,27 +284,6 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter return $this; } - /** - * {@inheritdoc} - */ - public function isMixedMode() { - return $this->mixedMode; - } - - /** - * {@inheritdoc} - */ - public function setMixedMode($mixed_mode) { - $this->mixedMode = (bool) $mixed_mode; - } - - /** - * {@inheritdoc} - */ - public function getInsecureName() { - return substr($this->getName(), 1); - } - /** * Returns whether the current PHP process runs on CLI. * @@ -401,25 +341,12 @@ class SessionManager extends NativeSessionStorage implements SessionManagerInter * @param string $old_session_id * The old session id. The new session id is $this->getId() unless * $new_insecure_session_id is not empty. - * @param bool $is_https - * Whether this is a HTTPS request. - * @param string $new_insecure_session_id - * If this is a HTTPS request and we are in mixed mode, this is the new - * insecure session id. The secure session id is $this->getId(). */ - protected function migrateStoredSession($old_session_id, $is_https, $new_insecure_session_id) { + protected function migrateStoredSession($old_session_id) { $fields = array('sid' => Crypt::hashBase64($this->getId())); - if ($is_https) { - $fields['ssid'] = $fields['sid']; - // If the "secure pages" setting is enabled, use the newly-created - // insecure session identifier as the regenerated sid. - if ($this->isMixedMode()) { - $fields['sid'] = Crypt::hashBase64($new_insecure_session_id); - } - } $this->connection->update('sessions') ->fields($fields) - ->condition($is_https ? 'ssid' : 'sid', Crypt::hashBase64($old_session_id)) + ->condition('sid', Crypt::hashBase64($old_session_id)) ->execute(); } diff --git a/core/lib/Drupal/Core/Session/SessionManagerInterface.php b/core/lib/Drupal/Core/Session/SessionManagerInterface.php index b620c6630d2..c86fb7df647 100644 --- a/core/lib/Drupal/Core/Session/SessionManagerInterface.php +++ b/core/lib/Drupal/Core/Session/SessionManagerInterface.php @@ -50,28 +50,4 @@ interface SessionManagerInterface extends SessionStorageInterface { */ public function enable(); - /** - * Returns whether mixed mode SSL sessions are enabled in the session manager. - * - * @return bool - * Value of the mixed mode SSL sessions flag. - */ - public function isMixedMode(); - - /** - * Enables or disables mixed mode SSL sessions in the session manager. - * - * @param bool $mixed_mode - * New value for the mixed mode SSL sessions flag. - */ - public function setMixedMode($mixed_mode); - - /** - * Returns the name of the insecure session when operating in mixed mode SSL. - * - * @return string - * The name of the insecure session. - */ - public function getInsecureName(); - } diff --git a/core/lib/Drupal/Core/Url.php b/core/lib/Drupal/Core/Url.php index 39ce1251b3d..999f4477dd9 100644 --- a/core/lib/Drupal/Core/Url.php +++ b/core/lib/Drupal/Core/Url.php @@ -120,8 +120,7 @@ class Url { * current language for the language type LanguageInterface::TYPE_URL. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS - * and FALSE enforces HTTP. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * * @see static::fromRoute() * @see static::fromUri() @@ -161,8 +160,7 @@ class Url { * current language for the language type LanguageInterface::TYPE_URL. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS - * and FALSE enforces HTTP. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * * @return \Drupal\Core\Url * A new Url object for a routed (internal to Drupal) URL. @@ -216,8 +214,7 @@ class Url { * current language for the language type LanguageInterface::TYPE_URL. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. if mixed mode sessions are permitted, TRUE enforces HTTPS - * and FALSE enforces HTTP. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * * @return \Drupal\Core\Url * A new Url object for an unrouted (non-Drupal) URL. diff --git a/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php b/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php index c1caa44ef86..d224a4799e5 100644 --- a/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php +++ b/core/lib/Drupal/Core/Utility/UnroutedUrlAssemblerInterface.php @@ -44,8 +44,7 @@ interface UnroutedUrlAssemblerInterface { * displayed outside the site, such as in an RSS feed. * - 'https': Whether this URL should point to a secure location. If not * defined, the current scheme is used, so the user stays on HTTP or HTTPS - * respectively. TRUE enforces HTTPS and FALSE enforces HTTP, but HTTPS can - * only be enforced when the variable 'https' is set to TRUE. + * respectively. TRUE enforces HTTPS and FALSE enforces HTTP. * * @return * A string containing a relative or absolute URL. diff --git a/core/modules/language/src/HttpKernel/PathProcessorLanguage.php b/core/modules/language/src/HttpKernel/PathProcessorLanguage.php index c3a6a9fc616..f1402b56cf2 100644 --- a/core/modules/language/src/HttpKernel/PathProcessorLanguage.php +++ b/core/modules/language/src/HttpKernel/PathProcessorLanguage.php @@ -11,7 +11,6 @@ use Drupal\Component\Utility\Unicode; use Drupal\Core\Config\ConfigFactoryInterface; use Drupal\Core\PathProcessor\InboundPathProcessorInterface; use Drupal\Core\PathProcessor\OutboundPathProcessorInterface; -use Drupal\Core\Site\Settings; use Drupal\language\ConfigurableLanguageManagerInterface; use Drupal\language\LanguageNegotiatorInterface; use Symfony\Component\HttpFoundation\Request; @@ -29,13 +28,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa */ protected $config; - /** - * Whether both secure and insecure session cookies can be used simultaneously. - * - * @var bool - */ - protected $mixedModeSessions; - /** * Language manager for retrieving the url language type. * @@ -69,8 +61,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa * * @param \Drupal\Core\Config\ConfigFactoryInterface $config * A config factory object for retrieving configuration settings. - * @param \Drupal\Core\Site\Settings $settings - * The settings instance. * @param \Drupal\language\ConfigurableLanguageManagerInterface $language_manager * The configurable language manager. * @param \Drupal\language\LanguageNegotiatorInterface @@ -78,9 +68,8 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa * @param \Drupal\Core\Session\AccountInterface $current_user * The current active user. */ - public function __construct(ConfigFactoryInterface $config, Settings $settings, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) { + public function __construct(ConfigFactoryInterface $config, ConfigurableLanguageManagerInterface $language_manager, LanguageNegotiatorInterface $negotiator, AccountInterface $current_user) { $this->config = $config; - $this->mixedModeSessions = $settings->get('mixed_mode_sessions', FALSE); $this->languageManager = $language_manager; $this->negotiator = $negotiator; $this->negotiator->setCurrentUser($current_user); @@ -115,8 +104,6 @@ class PathProcessorLanguage implements InboundPathProcessorInterface, OutboundPa if (!isset($this->processors[$scope])) { $this->initProcessors($scope); } - // Execute outbound language processors. - $options['mixed_mode_sessions'] = $this->mixedModeSessions; foreach ($this->processors[$scope] as $instance) { $path = $instance->processOutbound($path, $options, $request); } diff --git a/core/modules/language/src/LanguageServiceProvider.php b/core/modules/language/src/LanguageServiceProvider.php index be89900c163..d7c4dddb3fa 100644 --- a/core/modules/language/src/LanguageServiceProvider.php +++ b/core/modules/language/src/LanguageServiceProvider.php @@ -37,7 +37,6 @@ class LanguageServiceProvider extends ServiceProviderBase { ->addTag('path_processor_inbound', array('priority' => 300)) ->addTag('path_processor_outbound', array('priority' => 100)) ->addArgument(new Reference('config.factory')) - ->addArgument(new Reference('settings')) ->addArgument(new Reference('language_manager')) ->addArgument(new Reference('language_negotiator')) ->addArgument(new Reference('current_user')); diff --git a/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php b/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php index d84bee48aca..b76b1b18cd5 100644 --- a/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php +++ b/core/modules/language/src/Plugin/LanguageNegotiation/LanguageNegotiationUrl.php @@ -169,7 +169,7 @@ class LanguageNegotiationUrl extends LanguageNegotiationMethodBase implements In $options['base_url'] .= ':' . $port; } - if (isset($options['https']) && !empty($options['mixed_mode_sessions'])) { + if (isset($options['https'])) { if ($options['https'] === TRUE) { $options['base_url'] = str_replace('http://', 'https://', $options['base_url']); } diff --git a/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php b/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php index 440ee364975..fb4a3bbab23 100644 --- a/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php +++ b/core/modules/language/src/Tests/LanguageUILanguageNegotiationTest.php @@ -468,13 +468,9 @@ class LanguageUILanguageNegotiationTest extends WebTestBase { $this->assertEqual($italian_url, $correct_link, format_string('The _url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url))); // Test HTTPS via options. - $this->settingsSet('mixed_mode_sessions', TRUE); - $this->rebuildContainer(); - $italian_url = _url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => '')); $correct_link = 'https://' . $link; $this->assertTrue($italian_url == $correct_link, format_string('The _url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url))); - $this->settingsSet('mixed_mode_sessions', FALSE); // Test HTTPS via current URL scheme. $request = Request::create('', 'GET', array(), array(), array(), array('HTTPS' => 'on')); diff --git a/core/modules/system/src/Tests/Session/SessionHttpsTest.php b/core/modules/system/src/Tests/Session/SessionHttpsTest.php index 06e0e19aa65..9af167b5129 100644 --- a/core/modules/system/src/Tests/Session/SessionHttpsTest.php +++ b/core/modules/system/src/Tests/Session/SessionHttpsTest.php @@ -64,7 +64,7 @@ class SessionHttpsTest extends WebTestBase { // Check insecure cookie is not set. $this->assertFalse(isset($this->cookies[$insecure_session_name])); $ssid = $this->cookies[$secure_session_name]['value']; - $this->assertSessionIds($ssid, $ssid, 'Session has a non-empty SID and a correct secure SID.'); + $this->assertSessionIds($ssid, 'Session has a non-empty SID and a correct secure SID.'); $cookie = $secure_session_name . '=' . $ssid; // Verify that user is logged in on secure URL. @@ -109,196 +109,11 @@ class SessionHttpsTest extends WebTestBase { $this->cookies = array(); } - /** - * Tests sessions in SSL mixed mode. - */ - protected function testMixedModeSslSession() { - if ($this->request->isSecure()) { - // The functionality does not make sense when running on HTTPS. - return; - } - else { - $secure_session_name = 'S' . $this->getSessionName(); - $insecure_session_name = $this->getSessionName(); - } - - // Enable secure pages. - $this->settingsSet('mixed_mode_sessions', TRUE); - // Write that value also into the test settings.php file. - $settings['settings']['mixed_mode_sessions'] = (object) array( - 'value' => TRUE, - 'required' => TRUE, - ); - $this->writeSettings($settings); - - $user = $this->drupalCreateUser(array('access administration pages')); - - $this->curlClose(); - // Start an anonymous session on the insecure site. - $session_data = $this->randomMachineName(); - $this->drupalGet('session-test/set/' . $session_data); - // Check secure cookie on insecure page. - $this->assertFalse(isset($this->cookies[$secure_session_name]), 'The secure cookie is not sent on insecure pages.'); - // Check insecure cookie on insecure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); - - // Store the anonymous cookie so we can validate that its session is killed - // after login. - $anonymous_cookie = $insecure_session_name . '=' . $this->cookies[$insecure_session_name]['value']; - - // Check that password request form action is not secure. - $this->drupalGet('user/password'); - $form = $this->xpath('//form[@id="user-pass"]'); - $this->assertNotEqual(substr($form[0]['action'], 0, 6), 'https:', 'Password request form action is not secure'); - $form[0]['action'] = $this->httpsUrl('user/login'); - - // Check that user login form action is secure. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $this->assertEqual(substr($form[0]['action'], 0, 6), 'https:', 'Login form action is secure'); - $form[0]['action'] = $this->httpsUrl('user/login'); - - $edit = array( - 'name' => $user->getUsername(), - 'pass' => $user->pass_raw, - ); - $this->drupalPostForm(NULL, $edit, t('Log in')); - // Check secure cookie on secure page. - $this->assertTrue($this->cookies[$secure_session_name]['secure'], 'The secure cookie has the secure attribute'); - // Check insecure cookie on secure page. - $this->assertFalse($this->cookies[$insecure_session_name]['secure'], 'The insecure cookie does not have the secure attribute'); - - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; - $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); - $cookies = array( - 'http' => $insecure_session_name . '=' . $sid, - 'https' => $secure_session_name . '=' . $ssid, - ); - - // Test that session data saved before login is still available on the - // authenticated session. - $this->drupalGet('session-test/get'); - $this->assertText($session_data, 'Session correctly returned the stored data set by the anonymous session.'); - - foreach ($cookies as $cookie_key => $cookie) { - foreach (array('http' => 'admin/config', 'https' => $this->httpsUrl('admin/config')) as $url_key => $url) { - $this->curlClose(); - // The HTTPS setting needs to be set correctly on the request for the - // URL generator to work. - $this->request->server->set('HTTPS', $url_key == 'https' ? 'on' : 'off'); - - $this->drupalGet($url, array(), array('Cookie: ' . $cookie)); - if ($cookie_key == $url_key) { - $this->assertText(t('Configuration')); - $this->assertResponse(200); - } - else { - $this->assertNoText(t('Configuration')); - $this->assertResponse(403); - } - } - } - - // Test that session data saved before login is not available using the - // pre-login anonymous cookie. - $this->cookies = array(); - $this->drupalGet('session-test/get', array(), array('Cookie: ' . $anonymous_cookie)); - $this->assertNoText($session_data, 'Initial anonymous session is inactive after login.'); - - // Clear browser cookie jar. - $this->cookies = array(); - - // Start an anonymous session on the secure site. - $this->drupalGet($this->httpsUrl('session-test/set/1')); - - // Mock a login to the secure site using the secure session cookie. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $this->drupalPostForm(NULL, $edit, t('Log in')); - - // Test that the user is also authenticated on the insecure site. - $this->drupalGet("user/" . $user->id() . "/edit"); - $this->assertResponse(200); - } - - /** - * Ensure that a CSRF form token is shared in SSL mixed mode. - */ - protected function testCsrfTokenWithMixedModeSsl() { - if ($this->request->isSecure()) { - $secure_session_name = $this->getSessionName(); - $insecure_session_name = substr($this->getSessionName(), 1); - } - else { - $secure_session_name = 'S' . $this->getSessionName(); - $insecure_session_name = $this->getSessionName(); - } - - // Enable mixed mode SSL. - $this->settingsSet('mixed_mode_sessions', TRUE); - // Write that value also into the test settings.php file. - $settings['settings']['mixed_mode_sessions'] = (object) array( - 'value' => TRUE, - 'required' => TRUE, - ); - $this->writeSettings($settings); - - $user = $this->drupalCreateUser(array('access administration pages')); - - // Login using the HTTPS user-login form. - $this->drupalGet('user/login'); - $form = $this->xpath('//form[@id="user-login-form"]'); - $form[0]['action'] = $this->httpsUrl('user/login'); - $edit = array('name' => $user->getUsername(), 'pass' => $user->pass_raw); - $this->drupalPostForm(NULL, $edit, t('Log in')); - - // Collect session id cookies. - $sid = $this->cookies[$insecure_session_name]['value']; - $ssid = $this->cookies[$secure_session_name]['value']; - $this->assertSessionIds($sid, $ssid, 'Session has both secure and insecure SIDs'); - - // Retrieve the form via HTTP. - $this->curlClose(); - $this->drupalGet($this->httpUrl('session-test/form'), array(), array('Cookie: ' . $insecure_session_name . '=' . $sid)); - $http_token = $this->getFormToken(); - - // Verify that submitting form values via HTTPS to a form originally - // retrieved over HTTP works. - $form = $this->xpath('//form[@id="session-test-form"]'); - $form[0]['action'] = $this->httpsUrl('session-test/form'); - $edit = array('input' => $this->randomMachineName(32)); - $this->curlClose(); - $this->drupalPostForm(NULL, $edit, 'Save', array('Cookie: ' . $secure_session_name . '=' . $ssid)); - $this->assertText(String::format('Ok: @input', array('@input' => $edit['input']))); - - // Retrieve the same form via HTTPS. - $this->curlClose(); - $this->drupalGet($this->httpsUrl('session-test/form'), array(), array('Cookie: ' . $secure_session_name . '=' . $ssid)); - $https_token = $this->getFormToken(); - - // Verify that CSRF token values are the same for a form regardless of - // whether it was accessed via HTTP or HTTPS when SSL mixed mode is enabled. - $this->assertEqual($http_token, $https_token, 'Form token is the same on HTTP as well as HTTPS form'); - } - - /** - * Return the token of the current form. - */ - protected function getFormToken() { - $token_fields = $this->xpath('//input[@name="form_token"]'); - $this->assertEqual(count($token_fields), 1, 'One form token field on the page'); - return (string) $token_fields[0]['value']; - } - /** * Test that there exists a session with two specific session IDs. * * @param $sid * The insecure session ID to search for. - * @param $ssid - * The secure session ID to search for. * @param $assertion_text * The text to display when we perform the assertion. * @@ -306,12 +121,11 @@ class SessionHttpsTest extends WebTestBase { * The result of assertTrue() that there's a session in the system that * has the given insecure and secure session IDs. */ - protected function assertSessionIds($sid, $ssid, $assertion_text) { + protected function assertSessionIds($sid, $assertion_text) { $args = array( ':sid' => Crypt::hashBase64($sid), - ':ssid' => !empty($ssid) ? Crypt::hashBase64($ssid) : '', ); - return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid AND ssid = :ssid', $args)->fetchField(), $assertion_text); + return $this->assertTrue(db_query('SELECT timestamp FROM {sessions} WHERE sid = :sid', $args)->fetchField(), $assertion_text); } /** diff --git a/core/modules/system/system.install b/core/modules/system/system.install index 108327a67ef..8768f3dfe7e 100644 --- a/core/modules/system/system.install +++ b/core/modules/system/system.install @@ -924,13 +924,6 @@ function system_schema() { 'length' => 128, 'not null' => TRUE, ), - 'ssid' => array( - 'description' => "Secure session ID (hashed). The value is generated by Drupal's session handlers.", - 'type' => 'varchar', - 'length' => 128, - 'not null' => TRUE, - 'default' => '', - ), 'hostname' => array( 'description' => 'The IP address that last used this session ID (sid).', 'type' => 'varchar', @@ -953,12 +946,10 @@ function system_schema() { ), 'primary key' => array( 'sid', - 'ssid', ), 'indexes' => array( 'timestamp' => array('timestamp'), 'uid' => array('uid'), - 'ssid' => array('ssid'), ), 'foreign keys' => array( 'session_user' => array( diff --git a/core/modules/system/system.module b/core/modules/system/system.module index 17e88f393da..4eaf7bb13b2 100644 --- a/core/modules/system/system.module +++ b/core/modules/system/system.module @@ -432,8 +432,6 @@ function system_authorized_init($callback, $file, $arguments = array(), $page_ti */ function system_authorized_get_url(array $options = array()) { global $base_url; - // Force HTTPS if available, regardless of what the caller specifies. - $options['https'] = TRUE; // Prefix with $base_url so url() treats it as an external link. $url = Url::fromUri('base://core/authorize.php'); $url_options = $url->getOptions(); diff --git a/core/modules/system/tests/modules/session_test/session_test.module b/core/modules/system/tests/modules/session_test/session_test.module index c618babd979..0fb2ae423a4 100644 --- a/core/modules/system/tests/modules/session_test/session_test.module +++ b/core/modules/system/tests/modules/session_test/session_test.module @@ -10,10 +10,3 @@ function session_test_user_login($account) { exit; } } - -/** - * Implements hook_form_FORM_ID_alter(). - */ -function session_test_form_user_login_form_alter(&$form) { - $form['#https'] = TRUE; -} diff --git a/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php b/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php index ef0a5286efe..f2a8cecfeef 100644 --- a/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php +++ b/core/tests/Drupal/Tests/Core/PathProcessor/PathProcessorTest.php @@ -13,7 +13,6 @@ use Drupal\Core\PathProcessor\PathProcessorAlias; use Drupal\Core\PathProcessor\PathProcessorDecode; use Drupal\Core\PathProcessor\PathProcessorFront; use Drupal\Core\PathProcessor\PathProcessorManager; -use Drupal\Core\Site\Settings; use Drupal\language\HttpKernel\PathProcessorLanguage; use Drupal\language\Plugin\LanguageNegotiation\LanguageNegotiationUrl; use Symfony\Component\HttpFoundation\Request; @@ -151,7 +150,7 @@ class PathProcessorTest extends UnitTestCase { $alias_processor = new PathProcessorAlias($alias_manager); $decode_processor = new PathProcessorDecode(); $front_processor = new PathProcessorFront($config_factory_stub); - $language_processor = new PathProcessorLanguage($config_factory_stub, new Settings(array()), $this->languageManager, $negotiator, $current_user); + $language_processor = new PathProcessorLanguage($config_factory_stub, $this->languageManager, $negotiator, $current_user); // First, test the processor manager with the processors in the incorrect // order. The alias processor will run before the language processor, meaning diff --git a/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php b/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php index b3a044734be..2e0b3dcb429 100644 --- a/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php +++ b/core/tests/Drupal/Tests/Core/Routing/UrlGeneratorTest.php @@ -11,7 +11,6 @@ use Drupal\Core\PathProcessor\PathProcessorAlias; use Drupal\Core\PathProcessor\PathProcessorManager; use Drupal\Core\Routing\RequestContext; use Drupal\Core\Routing\UrlGenerator; -use Drupal\Core\Site\Settings; use Drupal\Tests\UnitTestCase; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\RequestStack; @@ -32,13 +31,6 @@ class UrlGeneratorTest extends UnitTestCase { */ protected $generator; - /** - * A second url generator to test, set to assume mixed-mode sessions. - * - * @var \Drupal\Core\Routing\UrlGenerator - */ - protected $generatorMixedMode; - /** * The alias manager. * @@ -137,14 +129,9 @@ class UrlGeneratorTest extends UnitTestCase { $config_factory_stub = $this->getConfigFactoryStub(array('system.filter' => array('protocols' => array('http', 'https')))); - $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array()), NULL, $this->requestStack); + $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, NULL, $this->requestStack); $generator->setContext($context); $this->generator = $generator; - - // Second generator for mixed-mode sessions. - $generator = new UrlGenerator($provider, $processor_manager, $this->routeProcessorManager, $config_factory_stub, new Settings(array('mixed_mode_sessions' => TRUE)), NULL, $this->requestStack); - $generator->setContext($context); - $this->generatorMixedMode = $generator; } /** @@ -310,17 +297,12 @@ class UrlGeneratorTest extends UnitTestCase { $url = $this->generator->generate('test_4', array(), TRUE); $this->assertEquals('https://localhost/test/four', $url); - $this->routeProcessorManager->expects($this->exactly(2)) + $this->routeProcessorManager->expects($this->exactly(1)) ->method('processOutbound') ->with($this->anything()); $options = array('absolute' => TRUE, 'https' => TRUE); - // Mixed-mode sessions are not enabled, so the https option is ignored. $url = $this->generator->generateFromRoute('test_1', array(), $options); - $this->assertEquals('http://localhost/hello/world', $url); - - // Mixed-mode sessions are enabled, so the https option is obeyed. - $url = $this->generatorMixedMode->generateFromRoute('test_1', array(), $options); $this->assertEquals('https://localhost/hello/world', $url); } diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php index cc2eb327d62..6d5f54fc3a5 100644 --- a/sites/default/default.settings.php +++ b/sites/default/default.settings.php @@ -413,14 +413,6 @@ if ($settings['hash_salt']) { */ # $settings['allow_authorize_operations'] = FALSE; -/** - * Mixed-mode sessions: - * - * Set to TRUE to create both secure and insecure sessions when using HTTPS. - * Defaults to FALSE. - */ -# $settings['mixed_mode_sessions'] = TRUE; - /** * Default mode for for directories and files written by Drupal. *