It is possible to get the user's session ID after logging them in?

Created on 1 October 2014, about 10 years ago
Updated 31 October 2023, about 1 year ago

I'm working on porting the CAS single-sign-on module to D8 and running into a roadblock when manually logging a user in. It seems that the user/sessions stuff is still a bit up in the air, but after checking thru several existing issues ( 1 , 2 ) and change records ( 1 , 2 ), I can't find the proper way to obtain a user's session data after they've been logged in.

I can manually log a user in by piggybacking off user_login_finalize in user.module (even though I'd prefer not to, since it's using the global $user object which is deprecated):

function user_login_finalize(UserInterface $account) {
  global $user;
  $user = $account;
  \Drupal::logger('user')->notice('Session opened for %name.', array('%name' => $account->getUsername()));
  // Update the user table timestamp noting user has logged in.
  // This is also used to invalidate one-time login links.
  $account->setLastLoginTime(REQUEST_TIME);
  \Drupal::entityManager()
    ->getStorage('user')
    ->updateLastLoginTimestamp($account);

  // Regenerate the session ID to prevent against session fixation attacks.
  // This is called before hook_user_login() in case one of those functions
  // fails or incorrectly does a redirect which would leave the old session
  // in place.
  \Drupal::service('session_manager')->regenerate();

  \Drupal::moduleHandler()->invokeAll('user_login', array($account));
}

After I call this though, it doesn't seem possible to retrieve that users session ID. I need the session ID, because I need to store it in a custom table for my module that maps session IDs with a CAS identifier that is later used in single-sign-out.

Looks like part of the problem is that the user's new session data is not actually persisted until AuthenticationSubscriber is called on the kernel response event, which will call the cleanup method on the AuthenticationManager, which finally "saves" the user session.

Hopefully someone can enlighten me on how to handle this.

💬 Support request
Status

Fixed

Version

8.1 ⚰️

Component
User module 

Last updated 2 days ago

Created by

🇺🇸United States bkosborne New Jersey, USA

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • 🇮🇳India amitajgaonkar

    For Drupal 10 #4 and #6 does not work. during hook_user_login session is not created.

  • 🇮🇳India itsbakiya

    $session->getID() is empty. Is there any other way to get the session value

  • 🇧🇪Belgium paulvb

    I had the same issue for a very specific use case. It's a bit of a hack, but I discovered that you can initiate the session and access the session ID by calling \Drupal::currentUser()->getAccount(); within the user_login hook and then session service will return the id...

    In drupal 9 session manager had a method getid that generated one if none was present. https://www.drupal.org/node/3006306

    public function getId() {
    $id = parent::getId();

    if (empty($id)) {
    // Legacy code might rely on the existence of a session ID before a real
    // session exists. In this case, generate a random session ID to provide
    // backwards compatibility.
    @trigger_error('Calling ' . __METHOD__ . '() outside of an actual existing session is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. This is often used for anonymous users. See https://www.drupal.org/node/3006306 ', E_USER_DEPRECATED);
    $id = Crypt::randomBytesBase64();
    $this->setId($id);
    }
    return $id;
    }

Production build 0.71.5 2024