1.3.9d visiting non-SSL page logs user out

**decartwr** · 20 Jun 2010, 05:19 AM

After upgrading to 1.3.9d, when visiting my site with cookies blocked in my browser, I can log in just fine, and as long as I only visit SSL pages I'm fine. But as soon as I visit a non-SSL page I get logged out.

I can fix this problem by modifying the following lines of code in init_includes/init_sessions.php (lines 42-46):

Code:

if (isset($_POST[zen_session_name()])) {
  zen_session_id($_POST[zen_session_name()]);
} elseif ( ($request_type == 'SSL') && isset($_GET[zen_session_name()]) ) {
  zen_session_id($_GET[zen_session_name()]);
}

If I remove the ($request_type == 'SSL') my site works fine; I remain signed in on all pages.

I don't understand why this code insists upon a $request_type of SSL. Both SSL and non-SSL pages can have a ZENID.