I have been testing this module on our site and have noticed that the automatic login doesn't seem to trigger until the user clears their cookies and gets assigned a new session cookie. This is because Drupal sets a long expiry time on the session cookie for anonymous users.

If we setup an automated login for a particular site that has visited our website before (highly likely) they will have to clear the cookies for our site on each machine they have which is quite clunky.

Do you think it is a good idea to modify _ip_login_set_user_range function so that when an IP address is changed that it removes all cookies which have a hostname matching that IP. In addition to this when an IP address isn't entered (might have been removed) the module should do a lookup, see if they did have one and then delete any session from that revoked IP. This would solve the issue where you revoke someone's access and they are still logged in when they next access the site as their session continues using the cached UID.

The only tricky thing is making this work for subnets and wildcards. The only way to get these to work would be to analyse the subnet or wildcard and then add the individual IP addresses to the query. Not sure how efficient this would be for large subnets.

Comments

jim kirkpatrick’s picture

Status: Active » Postponed (maintainer needs more info)

Apologies for the delay in replying... Can you try the latest RC1 release and see if it's better?

Apart from that, if you/anyone would like to submit a patch to wipe a user's IP Login cookies under for a certain page, that'd be great. Cookies can only be wiped when a user visits a page that removes them, not en masse for all cookies.

Postponing for now.

jim kirkpatrick’s picture

Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

No response, closing... Re-open if you have something to add.

jim kirkpatrick’s picture

Issue summary: View changes

Clarified section about deleting session for revoked IP login