Use Session service instead of $_SESSION

Created on 24 June 2024, 7 months ago

Problem/Motivation

The current code is incompatible with custom session handlers (redis sessions for example) because it directly accesses the $_SESSION super global variable.
cf. https://git.drupalcode.org/project/keycloak/-/blob/2.2.x/src/Controller/KeycloakController.php?ref_type=heads#L124

  /**
   * Login the user using the Keycloak openid_connect client.
   */
  public function login() {
    $this->session->saveDestination();
    $client_name = 'keycloak';

    $configuration = $this->config('openid_connect.settings.keycloak')->get('settings');
    $client = $this->pluginManager->createInstance(
      $client_name,
      $configuration
    );
    $scopes = $this->claims->getScopes();
    $_SESSION['openid_connect_op'] = 'login';
    return $client->authorize($scopes);
  }

Steps to reproduce

1. Use a custom session manager service
2. Try to authenticate using Keycloak, it will fail silently.

Proposed resolution

Use the right service (already injected), from OpenID module :

-     $_SESSION['openid_connect_op'] = 'login';
+     $this->session->saveOp('login');

Patch tested on Drupal 10.2.3, PHP 8.1, 8.2

🐛 Bug report

Status

Active

Version

2.2

Component

Code

Created by

nbouquet

Live updates comments and jobs are added and updated live.

Sessions

Merge Requests

!40Use Session service instead of $_SESSION
Open
nbouquet
updated 7 months ago

Comments & Activities

Issue created by @nbouquet
Merge request !40fix(session): Use OpenIDConnectSession instead of $_SESSION → (Open) created by nbouquet
Pipeline finished with Success
7 months ago
Total: 143s
#206895

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024