Auth: Don't send HTTP cookies in non-HTTP processes

mjansenDatabay · mjansenDatabay · commit ef67329b827c · 2025-02-05T09:01:48.000+01:00
diff --git a/Services/Authentication/classes/class.ilSession.php b/Services/Authentication/classes/class.ilSession.php
@@ -287,16 +287,21 @@ public static function _destroy($a_session_id, ?int $a_closing_context = null, $
 
         $ilDB->manipulate($q);
 
-        try {
-            // only delete session cookie if it is set in the current request
-            if ($DIC->http()->wrapper()->cookie()->has(session_name()) &&
-                $DIC->http()->wrapper()->cookie()->retrieve(session_name(), $DIC->refinery()->kindlyTo()->string()) === $a_session_id) {
-                $cookieJar = $DIC->http()->cookieJar()->without(session_name());
-                $cookieJar->renderIntoResponseHeader($DIC->http()->response());
+        if (ilContext::usesHTTP()) {
+            try {
+                // only delete session cookie if it is set in the current request
+                if ($DIC->http()->wrapper()->cookie()->has(session_name()) &&
+                    $DIC->http()->wrapper()->cookie()->retrieve(
+                        session_name(),
+                        $DIC->refinery()->kindlyTo()->string()
+                    ) === $a_session_id) {
+                    $cookieJar = $DIC->http()->cookieJar()->without(session_name());
+                    $cookieJar->renderIntoResponseHeader($DIC->http()->response());
+                }
+            } catch (\Throwable $e) {
+                // ignore
+                // this is needed for "header already"  sent errors when the random cleanup of expired sessions is triggered
             }
-        } catch (\Throwable $e) {
-            // ignore
-            // this is needed for "header already"  sent errors when the random cleanup of expired sessions is triggered
         }
 
         return true;
