1 session.inc _backdrop_session_read($sid)

Reads an entire session from the database (internal use only).

Also initializes the $user object for the user associated with the session. This function is registered with session_set_save_handler() to support database-backed sessions. It is called on every page load when PHP sets up the $_SESSION superglobal.

This function is an internal function and must not be called directly. Doing so may result in logging out the current user, corrupting session data or other unexpected behavior. Session data must always be accessed via the $_SESSION superglobal.


$sid: The session ID of the session to retrieve.

Return value

The user's session, or an empty string if no session exists.:


core/includes/session.inc, line 69
User session handling functions.


function _backdrop_session_read($sid) {
  global $user, $is_https;

  // Write and Close handlers are called after destructing objects
  // since PHP 5.0.5.
  // Thus destructors can use sessions but session handler can't use objects.
  // So we are moving session closure before destructing objects.

  // Handle the case of first time visitors and clients that don't store
  // cookies (eg. web crawlers).
  $insecure_session_name = substr(session_name(), 1);
  if (empty($sid) || (!isset($_COOKIE[session_name()]) && !isset($_COOKIE[$insecure_session_name]))) {
    $user = backdrop_anonymous_user();
    return '';

  // Otherwise, if the session is still active, we have a record of the
  // client's session in the database. If it's HTTPS then we are either have
  // a HTTPS session or we are about to log in so we check the sessions table
  // for an anonymous session with the non-HTTPS-only cookie.
  if ($is_https) {
    $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.ssid = :ssid", array(':ssid' => $sid))->fetchObject();
    if (!$user) {
      if (isset($_COOKIE[$insecure_session_name])) {
        $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid AND s.uid = 0", array(
          ':sid' => $_COOKIE[$insecure_session_name]))
  else {
    $user = db_query("SELECT u.*, s.* FROM {users} u INNER JOIN {sessions} s ON u.uid = s.uid WHERE s.sid = :sid", array(':sid' => $sid))->fetchObject();

  // We found the client's session record and they are an authenticated,
  // active user.
  if ($user && $user->uid > 0 && $user->status == 1) {
    // This is done to unserialize the data member of $user.
    $user->data = unserialize((string) $user->data);

    // Add roles element to $user.
    $user->roles = db_query("SELECT role FROM {users_roles} WHERE uid = :uid", array(':uid' => $user->uid))->fetchCol();
    array_unshift($user->roles, BACKDROP_AUTHENTICATED_ROLE);
  elseif ($user) {
    // The user is anonymous or blocked. Only preserve two fields from the
    // {sessions} table.
    $account = backdrop_anonymous_user();
    $account->session = $user->session;
    $account->timestamp = $user->timestamp;
    $user = $account;
  else {
    // The session has expired.
    $user = backdrop_anonymous_user();
    $user->session = '';

  // Store the session that was read for comparison in _backdrop_session_write().
  $last_read = &backdrop_static('backdrop_session_last_read');
  $last_read = array(
    'sid' => $sid,
    'value' => $user->session,

  return $user->session;