Issue #1798832 by andreiashu, Berdir, heyrocker, aspilicious, johan.gant, typhonius, ACF: Convert https to .

core/includes/common.inc

@@ -2113,7 +2113,7 @@ function url($path = NULL, array $options = array()) {
     if ($options['query']) {
       $path .= (strpos($path, '?') !== FALSE ? '&' : '?') . drupal_http_build_query($options['query']);
     }
-    if (isset($options['https']) && variable_get('https', FALSE)) {
+    if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) {
       if ($options['https'] === TRUE) {
         $path = str_replace('http://', 'https://', $path);
       }
@@ -2129,7 +2129,7 @@ function url($path = NULL, array $options = array()) {
 
   // The base_url might be rewritten from the language rewrite in domain mode.
   if (!isset($options['base_url'])) {
-    if (isset($options['https']) && variable_get('https', FALSE)) {
+    if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) {
       if ($options['https'] === TRUE) {
         $options['base_url'] = $base_secure_url;
         $options['absolute'] = TRUE;

core/includes/form.inc

@@ -1825,7 +1825,7 @@ function form_builder($form_id, &$element, &$form_state) {
 
   // Special handling if we're on the top level form element.
   if (isset($element['#type']) && $element['#type'] == 'form') {
-    if (!empty($element['#https']) && variable_get('https', FALSE) &&
+    if (!empty($element['#https']) && settings()->get('mixed_mode_sessions', FALSE) &&
         !url_is_external($element['#action'])) {
       global $base_root;
 

core/includes/session.inc

@@ -188,14 +188,14 @@ function _drupal_session_write($sid, $value) {
         // The "secure pages" setting allows a site to simultaneously use both
         // secure and insecure session cookies. If enabled and both cookies are
         // presented then use both keys.
-        if (variable_get('https', FALSE)) {
+        if (settings()->get('mixed_mode_sessions', FALSE)) {
           $insecure_session_name = substr(session_name(), 1);
           if (isset($_COOKIE[$insecure_session_name])) {
             $key['sid'] = $_COOKIE[$insecure_session_name];
           }
         }
       }
-      elseif (variable_get('https', FALSE)) {
+      elseif (settings()->get('mixed_mode_sessions', FALSE)) {
         unset($key['ssid']);
       }
 
@@ -239,7 +239,7 @@ function drupal_session_initialize() {
 
   // We use !empty() in the following check to ensure that blank session IDs
   // are not valid.
-  if (!empty($_COOKIE[session_name()]) || ($is_https && variable_get('https', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
+  if (!empty($_COOKIE[session_name()]) || ($is_https && settings()->get('mixed_mode_sessions', FALSE) && !empty($_COOKIE[substr(session_name(), 1)]))) {
     // If a session cookie exists, initialize the session. Otherwise the
     // session is only started on demand in drupal_session_commit(), making
     // anonymous users not use a session cookie unless something is stored in
@@ -260,7 +260,7 @@ function drupal_session_initialize() {
     // anonymous users than are generated in drupal_session_regenerate() when
     // a user becomes authenticated.
     session_id(drupal_hash_base64(uniqid(mt_rand(), TRUE)));
-    if ($is_https && variable_get('https', FALSE)) {
+    if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
       $insecure_session_name = substr(session_name(), 1);
       $session_id = drupal_hash_base64(uniqid(mt_rand(), TRUE));
       $_COOKIE[$insecure_session_name] = $session_id;
@@ -315,7 +315,7 @@ function drupal_session_commit() {
     // started.
     if (!drupal_session_started()) {
       drupal_session_start();
-      if ($is_https && variable_get('https', FALSE)) {
+      if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
         $insecure_session_name = substr(session_name(), 1);
         $params = session_get_cookie_params();
         $expire = $params['lifetime'] ? REQUEST_TIME + $params['lifetime'] : 0;
@@ -351,7 +351,7 @@ function drupal_session_regenerate() {
     return;
   }
 
-  if ($is_https && variable_get('https', FALSE)) {
+  if ($is_https && settings()->get('mixed_mode_sessions', FALSE)) {
     $insecure_session_name = substr(session_name(), 1);
     if (!isset($GLOBALS['lazy_session']) && isset($_COOKIE[$insecure_session_name])) {
       $old_insecure_session_id = $_COOKIE[$insecure_session_name];
@@ -380,7 +380,7 @@ function drupal_session_regenerate() {
       $fields['ssid'] = session_id();
       // If the "secure pages" setting is enabled, use the newly-created
       // insecure session identifier as the regenerated sid.
-      if (variable_get('https', FALSE)) {
+      if (settings()->get('mixed_mode_sessions', FALSE)) {
         $fields['sid'] = $session_id;
       }
     }
@@ -440,7 +440,7 @@ function _drupal_session_destroy($sid) {
   if ($is_https) {
     _drupal_session_delete_cookie(substr(session_name(), 1), FALSE);
   }
-  elseif (variable_get('https', FALSE)) {
+  elseif (settings()->get('mixed_mode_sessions', FALSE)) {
     _drupal_session_delete_cookie('S' . session_name(), TRUE);
   }
 }

core/modules/language/language.negotiation.inc

@@ -480,7 +480,7 @@ function language_url_rewrite_url(&$path, &$options) {
             $options['base_url'] .= ':' . $port;
           }
 
-          if (isset($options['https']) && variable_get('https', FALSE)) {
+          if (isset($options['https']) && settings()->get('mixed_mode_sessions', FALSE)) {
             if ($options['https'] === TRUE) {
               $options['base_url'] = str_replace('http://', 'https://', $options['base_url']);
             }

core/modules/language/lib/Drupal/language/Tests/LanguageUILanguageNegotiationTest.php

@@ -462,11 +462,11 @@ class LanguageUILanguageNegotiationTest extends WebTestBase {
     $this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right URL (@url) in accordance with the chosen language', array('@url' => $italian_url)));
 
     // Test HTTPS via options.
-    variable_set('https', TRUE);
+    $this->settingsSet('mixed_mode_sessions', TRUE);
     $italian_url = url('admin', array('https' => TRUE, 'language' => $languages['it'], 'script' => ''));
     $correct_link = 'https://' . $link;
     $this->assertTrue($italian_url == $correct_link, format_string('The url() function returns the right HTTPS URL (via options) (@url) in accordance with the chosen language', array('@url' => $italian_url)));
-    variable_set('https', FALSE);
+    $this->settingsSet('mixed_mode_sessions', FALSE);
 
     // Test HTTPS via current URL scheme.
     $temp_https = $is_https;

core/modules/system/lib/Drupal/system/Tests/Session/SessionHttpsTest.php

@@ -113,7 +113,13 @@ class SessionHttpsTest extends WebTestBase {
     }
 
     // Enable secure pages.
-    variable_set('https', TRUE);
+    $this->settingsSet('mixed_mode_sessions', TRUE);
+    // Write that value also into the test settings.php file.
+    $settings['settings']['mixed_mode_sessions'] = (object) array(
+      'value' => TRUE,
+      'required' => TRUE,
+    );
+    $this->writeSettings($settings);
 
     $this->curlClose();
     // Start an anonymous session on the insecure site.

sites/default/default.settings.php

@@ -443,6 +443,14 @@ $settings['update_free_access'] = FALSE;
  */
 # $settings['allow_authorize_operations'] = FALSE;
 
+/**
+ * Mixed-mode sessions:
+ *
+ * Set to TRUE to create both secure and insecure sessions when using HTTPS.
+ * Defaults to FALSE.
+ */
+# $settings['mixed_mode_sessions'] = TRUE;
+
 /**
  * Base URL (optional).
  *