Lazy sessions and authorization (Drupal)

Cantor, Scott cantor.2 at
Mon Oct 28 09:58:47 EDT 2013

On 10/28/13, 4:21 AM, "Laas Toom" <Laas.Toom at> wrote:
>One question still: am I the only one that thinks that it could come in
>handy if there is a way to allow both unauth users and properly
>authorized users and the application could rest assured that if session
>is present, it is properly authorized?

I have yet to hear you say that you tried what I suggested (twice) and
that it didn't work.

>Also, in my view, the "ShibRequestSetting requireSession² behaves
>somewhat counter-intuitive:
>1) when set to 1, a session is initiated when not present, and all
>authorization is applied
>2) when set to 0, a session is still ³required², and authorized, only not

That's not the case. The authorization code is not written to apriori
require a session. I know because I just looked. So if your authorization
rules actually do require a session, I think that's because you wrote them
to. So I reiterate that as far as I can tell, combining rules with "OR NOT
valid-user" probably should work.

>Of course, this can not be changed now, for backwards compatibility, but
>perhaps a new setting, say ŒignoreUnauthzSession¹, could be introduced
>that toggles this behavior?

I'm not considering anything until I have actual evidence that it doesn't
work already.

>Are there any downsides to this? Could it be considered a featurea

There's a significant downside: confusion, complexity, changing sensitive

-- Scott

More information about the users mailing list