in hook_boot there is :

if ( !isset($_SESSION['autologout_hits']) ) {
    $_SESSION['autologout_hits'] = array();
  }
  $_SESSION['autologout_hits'][] = time();

so no matter anonymous or authenticated users, the session is created.

Then in hook_init, there is check to remove that session for anonymous users

// Clear session variable if you are not using autologout function and for anonymous users.
  if ( isset($_SESSION['autologout_hits']) && (! _autologout_local_settings('enabled') || $user->uid == 0) ) {
    unset($_SESSION['autologout_hits']);
  }

Why not apply the same check in hook_boot, actually why do we need any autologout functions for anonymous users

Thanks

Comments

Anonymous’s picture

Title: create $_SESSION['autologout_hits'] for anonymous users in hook_boot » Remove $_SESSION['autologout_hits'] for anonymous users in hook_boot
james.cartledge’s picture

Version: 6.x-2.x-dev » 6.x-2.5
StatusFileSize
new399 bytes

Patched hook_boot because this messed up our cache headers as well as sending the session with every request.

sastha’s picture

Applying this patch completely removed 'autologout_hits' from logging. We ran Vulnerability scan for our site with thousands of users. For every anonymous user, this module store time stamp in 'sessions' table. The excessive time stamps for each hit lead to big UPDATE queries and filled the BINARY LOGs in MySQL. Ultimately, the site went down and crashed MySQL.

I suspect the problem is due to autologout_boot() function. Any idea how to resolve this?

johnennew’s picture

Status: Active » Closed (won't fix)

I am closing this issue as it is old and the 2.x branches are no longer supported. If anyone feels this is an issue in the 4.x branches please feel free to reopen.