Found the bug in core which produces critical error if content opened for creation for anon users and they try to log in after that.


Started session for anonymous user in mixed mode cause PDOException when user tries to log in.
PDOException: SQLSTATE[23000]: Integrity constraint violation: 1062 Duplicate entry 'h0c...' for key 'PRIMARY': UPDATE {sessions}

Steps to reproduce

  1. Config web-server: enable SSL. both http and https could be available or only https.
  2. Enable mixed mode in drupal: $conf['https'] = TRUE;
  3. Install fresh Drupal 7.
  4. Enable wysiwyg, ckeditor modules.
  5. Enable Visitors to create an account and require verification by email. /admin/config/people/accounts
  6. Add permission for anonymous to create nodes of type Article.
  7. Add FullHTML format for anonymous.
  8. Open https /node/add/article page as anonymous. SSESS cookie will be created.
  9. Create new account
  10. Try to login from the link from email (or password reset link) in current browser.

Proposed resolution

The issue is cause by duplicated record in sessions table with the same ssid. The record created second time because there is absent cookie abous previous opened insecure session.
I found that wysiwyg and ckeditor modules opened session with drupal_session_start() but drupal_session_commit() at then end doesnt save insecure cookie.
Provided patch will fix this issue.


Вміст цього поля є приватним і не буде доступний широкому загалу.
  • Не дозволено жодних HTML теґів.
  .ooooo.              oooooo     oooo   .oooooo..o  oooooooooo.    oooooo   oooooo     oooo 
d88' `8. `888. .8' d8P' `Y8 `888' `Y8b `888. `888. .8'
Y88.. .8' .oooo.o `888. .8' Y88bo. 888 888 `888. .8888. .8'
`88888b. d88( "8 `888. .8' `"Y8888o. 888 888 `888 .8'`888. .8'
.8' ``88b `"Y88b. `888.8' `"Y88b 888 888 `888.8' `888.8'
`8. .88P o. )88b `888' oo .d8P 888 d88' `888' `888'
`boood8' 8""888P' `8' 8""88888P' o888bood8P' `8' `8'

Уведіть код, зображений у стилі Ascii-Арт.