Index: branches/5.0.x/core/kernel/session/session.php
===================================================================
diff -u -r12323 -r12368
--- branches/5.0.x/core/kernel/session/session.php	(.../session.php)	(revision 12323)
+++ branches/5.0.x/core/kernel/session/session.php	(.../session.php)	(revision 12368)
@@ -1,6 +1,6 @@
 <?php
 /**
-* @version	$Id: session.php 12323 2009-08-17 20:39:30Z alex $
+* @version	$Id: session.php 12368 2009-08-23 21:55:59Z alex $
 * @package	In-Portal
 * @copyright	Copyright (C) 1997 - 2009 Intechnic. All rights reserved.
 * @license      GNU/GPL
@@ -121,6 +121,8 @@
 			$this->TimestampField	=>	$session->Expiration
 		);
 
+		// default values + additional values + values set during this script run
+		$additional_fields = array_merge($additional_fields, $this->DirectVars); // used 2 times later
 		$fields_hash = array_merge($fields_hash, $additional_fields);
 
 		$this->Conn->doInsert($fields_hash, $this->TableName);
@@ -245,9 +247,9 @@
 		unset($this->OriginalData[$var]);
 	}
 
-	function GetFromData(&$session, $var)
+	function GetFromData(&$session, $var, $default = false)
 	{
-		return getArrayValue($this->OriginalData, $var);
+		return array_key_exists($var, $this->OriginalData) ? $this->OriginalData[$var] : $default;
 	}
 
 	function GetExpiredSIDs()
@@ -428,6 +430,13 @@
 	var $SessionSet = false;
 
 	/**
+	 * Session ID is used from GET
+	 *
+	 * @var bool
+	 */
+	var $_fromGet = false;
+
+	/**
 	 * Enter description here...
 	 *
 	 * @var SessionStorage
@@ -444,16 +453,17 @@
 	var $Data;
 
 	/**
-	 * Names of optional session keys (which does not need to be always stored
+	 * Names of optional session keys with their optional values (which does not need to be always stored)
 	 *
-	 * @var array
+	 * @var Array
 	 */
-	var $OptionalData = array();
+	var $OptionalData = Array ();
 
 
-	function Session($mode=smAUTO)
+	function Session($mode = smAUTO)
 	{
 		parent::kBase();
+
 		$this->SetMode($mode);
 	}
 
@@ -544,7 +554,7 @@
 		$expired_sids = $this->DeleteExpired();
 		$my_sid_expired = in_array($this->CachedSID, $expired_sids);
 
-		if ( ($expired_sids && $my_sid_expired) || ($this->CachedSID && !$this->SessionSet) ) {
+		if ( ($expired_sids && $my_sid_expired) || ($this->CachedSID && !$this->_fromGet && !$this->SessionSet) ) {
 			$this->RemoveSessionCookie();
 			// true was here to force new session creation, but I (kostja) used
 			// RemoveCookie a line above, to avoid redirect loop with expired sid
@@ -581,51 +591,20 @@
 		return preg_match($reg, getArrayValue($_SERVER, 'HTTP_REFERER') ) || (defined('IS_POPUP') && IS_POPUP);
 	}
 
-	/*function CheckDuplicateCookies()
-	{
-		if (isset($_SERVER['HTTP_COOKIE'])) {
-			$cookie_str = $_SERVER['HTTP_COOKIE'];
-			$cookies = explode('; ', $cookie_str);
-			$all_cookies = array();
-			foreach ($cookies as $cookie) {
-				list($name, $value) = explode('=', $cookie);
-				if (isset($all_cookies[$name])) {
-					//double cookie name!!!
-					$this->RemoveCookie($name);
-				}
-				else $all_cookies[$name] = $value;
-			}
-		}
-	}
-
-	function RemoveCookie($name)
-	{
-		$path = $_SERVER['PHP_SELF'];
-		$path_parts = explode('/', $path);
-		$cur_path = '';
-		setcookie($name, false, null, $cur_path);
-		foreach ($path_parts as $part) {
-			$cur_path .= $part;
-			setcookie($name, false, null, $cur_path);
-			$cur_path .= '/';
-			setcookie($name, false, null, $cur_path);
-		}
-	}*/
-
 	function CheckIfCookiesAreOn()
 	{
-//		$this->CheckDuplicateCookies();
-		if ($this->Mode == smGET_ONLY)
-		{
+		if ($this->Mode == smGET_ONLY) {
 			//we don't need to bother checking if we would not use it
 			$this->CookiesEnabled = false;
 			return;
 		}
+
 		$http_query =& $this->Application->recallObject('HTTPQuery');
-		$cookies_on = isset($http_query->Cookie['cookies_on']); // not good here
+		$cookies_on = array_key_exists('cookies_on', $http_query->Cookie); // not good here
 
 		$get_sid = getArrayValue($http_query->Get, $this->GETName);
-		if ($this->IsHTTPSRedirect() && $get_sid) { //Redirect from http to https on different domain
+
+		if ($this->IsHTTPSRedirect() && $get_sid) { // Redirect from http to https on different domain
 			$this->OriginalMode = $this->Mode;
 			$this->SetMode(smGET_ONLY);
 		}
@@ -642,8 +621,10 @@
 				$this->SetCookie('cookies_on', 1, adodb_mktime() + 31104000); //one year should be enough
 			}
 		}
-		else
+		else {
 			$this->CookiesEnabled = true;
+		}
+
 		return $this->CookiesEnabled;
 	}
 
@@ -677,7 +658,7 @@
 		//try to load session by sid, if everything is fine
 		$result = $this->LoadSession($sid);
 
-		$this->SessionSet = $result;
+		$this->SessionSet = $result; // fake front-end session will given "false" here
 
 		return $result;
 	}
@@ -705,9 +686,13 @@
 
 	function GetPassedSIDValue($use_cache = 1)
 	{
-		if (!empty($this->CachedSID) && $use_cache) return $this->CachedSID;
+		if (!empty($this->CachedSID) && $use_cache) {
+			return $this->CachedSID;
+		}
+
 		$http_query =& $this->Application->recallObject('HTTPQuery');
 		$get_sid = getArrayValue($http_query->Get, $this->GETName);
+		$sid_from_get = $get_sid ? true : false;
 
 		if ($this->Application->GetVar('admin') == 1 && $get_sid) {
 			$sid = $get_sid;
@@ -717,30 +702,37 @@
 				case smAUTO:
 					//Cookies has the priority - we ignore everything else
 					$sid = $this->CookiesEnabled ? $this->GetSessionCookie() : $get_sid;
+
+					if ($this->CookiesEnabled) {
+						$sid_from_get = false;
+					}
 					break;
+
 				case smCOOKIES_ONLY:
 					$sid = $this->GetSessionCookie();
 					break;
+
 				case smGET_ONLY:
 					$sid = $get_sid;
 					break;
+
 				case smCOOKIES_AND_GET:
 					$cookie_sid = $this->GetSessionCookie();
 					//both sids should match if cookies are enabled
-					if (!$this->CookiesEnabled || ($cookie_sid == $get_sid))
-					{
+					if (!$this->CookiesEnabled || ($cookie_sid == $get_sid)) {
 						$sid = $get_sid; //we use get here just in case cookies are disabled
 					}
-					else
-					{
+					else {
 						$sid = '';
+						$sid_from_get = false;
 					}
 					break;
 			}
 		}
 
-
 		$this->CachedSID = $sid;
+		$this->_fromGet = $sid_from_get;
+
 		return $this->CachedSID;
 	}
 
@@ -786,43 +778,61 @@
 	 */
 	function setSID($new_sid)
 	{
-		$this->SID = $this->CachedSID = $new_sid;
+		$this->SID /*= $this->CachedSID*/ = $new_sid; // don't set cached sid here
 		$this->Application->SetVar($this->GETName,$new_sid);
 	}
 
 	function NeedSession()
 	{
 		$data = $this->Data->GetParams();
+
 		$data_keys = array_keys($data);
-		$optional_keys = array_unique($this->OptionalData);
+		$optional_keys = array_keys($this->OptionalData);
 		$real_keys = array_diff($data_keys, $optional_keys);
+
 		return $real_keys ? true : false;
 	}
 
 	function SetSession($force = false)
 	{
-		if ($this->SessionSet && !$force) return true;
+		if ($this->SessionSet && !$force) {
+			return true;
+		}
+
 		if (!$force && !($this->Application->IsAdmin() || $this->Application->GetVar('admin')) && !$this->NeedSession()) {
 			// don't create session (in db) on Front-End, when sid is present (GPC), but data in db isn't
-			$this->GenerateSID();
+			if ($this->_fromGet) {
+				// set sid, that was given in GET
+				$this->setSID( $this->GetPassedSIDValue() );
+			} else {
+				// re-generate sid only, when cookies are used
+				$this->GenerateSID();
+			}
 			return false;
 		}
 
-		if (!$this->SID || $force) $this->GenerateSID();
+		if (!$this->SID || $force) {
+			$this->GenerateSID();
+		}
+
 		$this->Expiration = adodb_mktime() + $this->SessionTimeout;
+
 		switch ($this->Mode) {
 			case smAUTO:
 				if ($this->CookiesEnabled) {
 					$this->SetSessionCookie();
 				}
 				break;
+
 			case smGET_ONLY:
 				break;
+
 			case smCOOKIES_ONLY:
 			case smCOOKIES_AND_GET:
 				$this->SetSessionCookie();
 				break;
 		}
+
 		$this->Storage->StoreSession($this);
 
 		if ($this->Application->IsAdmin() || $this->Special == 'admin') {
@@ -909,29 +919,39 @@
 		$this->SID = $this->CachedSID = '';
 		$this->SessionSet = false;
 
-		if ($this->CookiesEnabled) $this->SetSessionCookie(); //will remove the cookie due to value (sid) is empty
+//		if ($this->CookiesEnabled) {
+			// remove cookie, because we will have fake session and it should be getting sid left in cookies
+			$this->SetSessionCookie(); //will remove the cookie due to value (sid) is empty
+//		}
 
 		$this->SetSession(true); //will create a new session, true to force
 	}
 
 	function NeedQueryString($use_cache = 1)
 	{
-		if ($this->CachedNeedQueryString != null && $use_cache) return $this->CachedNeedQueryString;
+		if ($this->CachedNeedQueryString != null && $use_cache) {
+			return $this->CachedNeedQueryString;
+		}
 
 		$result = false;
-		switch ($this->Mode)
-		{
+		switch ($this->Mode) {
 			case smAUTO:
-				if (!$this->CookiesEnabled) $result = true;
+				if (!$this->CookiesEnabled) {
+					$result = true;
+				}
 				break;
+
 			/*case smCOOKIES_ONLY:
 				break;*/
+
 			case smGET_ONLY:
 			case smCOOKIES_AND_GET:
 				$result = true;
 				break;
 		}
+
 		$this->CachedNeedQueryString = $result;
+
 		return $result;
 	}
 
@@ -940,7 +960,7 @@
 		$this->Data->AddParams($this->Storage->LoadData($this));
 	}
 
-	function PrintSession($comment='')
+	function PrintSession($comment = '')
 	{
 		if (defined('DEBUG_MODE') && $this->Application->isDebugMode() && constOn('DBG_SHOW_SESSIONDATA')) {
 			// dump session data
@@ -953,7 +973,22 @@
 				}
 			}
 			$this->Application->Debugger->dumpVars($session_data);
+
+			// dump real keys
+			$data_keys = array_keys($session_data);
+			$optional_keys = array_keys($this->OptionalData);
+			$real_keys = array_diff($data_keys, $optional_keys);
+
+			if ($real_keys) {
+				$ret = '';
+				foreach ($real_keys as $real_key) {
+					$ret .= '[' . $real_key . '] = [' . $session_data[$real_key] . ']<br/>';
+				}
+
+				$this->Application->Debugger->appendHTML('Real Keys:<br/> ' . $ret);
+			}
 		}
+
 		if (defined('DEBUG_MODE') && $this->Application->isDebugMode() && constOn('DBG_SHOW_PERSISTENTDATA')) {
 			// dump persistent session data
 			if ($this->Storage->PersistentVars) {
@@ -1027,6 +1062,10 @@
 			elseif ($this->Application->GetVar('admin')) {
 				// admin checking by session data to prevent recursive session save
 				if (!$this->RecallVar('admin')) {
+					// bug: we get recursion in this place, when cookies are disabled in browser and we are browsing
+					// front-end in admin's frame (front-end session is initialized using admin's sid and they are
+					// mixed together)
+
 					$admin_session =& $this->Application->recallObject('Session.admin');
 					/* @var $admin_session Session */
 
@@ -1063,6 +1102,11 @@
 
 		$params['__URLENCODE__'] = 1; // uses "&" instead of "&amp;" for url part concatenation + replaces "\" to "%5C" (works in HTML)
 
+
+		if ($this->Application->GetVar('admin') && !array_key_exists('admin', $params) && !defined('EDITING_MODE')) {
+			$params['editing_mode'] = ''; // used in kApplication::Run
+		}
+
 		$params = array_merge($this->Application->getPassThroughVariables($params), $params);
 		$ret = $this->Application->BuildEnv($t, $params, 'all');
 
@@ -1076,9 +1120,20 @@
 	function StoreVar($name, $value, $optional = false)
 	{
 		$this->Data->Set($name, $value);
+
 		if ($optional) {
-			$this->OptionalData[] = $name;
+			// make variable optional, also remember optional value
+			$this->OptionalData[$name] = $value;
 		}
+		elseif (!$optional && array_key_exists($name, $this->OptionalData)) {
+			if ($this->OptionalData[$name] == $value) {
+				// same value as optional -> don't remove optional mark
+				return ;
+			}
+
+			// make variable non-optional
+			unset($this->OptionalData[$name]);
+		}
 	}
 
 	function StorePersistentVar($name, $value)
@@ -1130,7 +1185,14 @@
 	 */
 	function RestoreVar($name)
 	{
-		return $this->StoreVar($name, $this->Storage->GetFromData($this, $name));
+		$value = $this->Storage->GetFromData($this, $name, '__missing__');
+
+		if ($value === '__missing__') {
+			// there is nothing to restore (maybe session was not saved), look in optional variable values
+			$value = array_key_exists($name, $this->OptionalData) ? $this->OptionalData[$name] : false;
+		}
+
+		return $this->StoreVar($name, $value);
 	}
 
 	function GetField($var_name, $default = false)