I spent some time today troubleshooting this module for a colleague. It worked great everywhere except in Internet Explorer 8.

After failing to find the issue in XDebug, I added some PHP error_log commands and found the root cause of the issue: If you do not set Browser Refresh Delay to a reasonably large number of seconds (at least 3) then Internet Explorer 8 can meta refresh a couple of seconds early and thereby will never get logged out. (this appears to be a bug in IE8).

- IE8 loads a page with, for example a 60s meta refresh.
- IE8 then refreshes in 58 seconds, not 60 seconds!!! It seems to always jump the gun by two seconds (maybe this is MS's idea of a performance enhancement ;) )
- The following test from hook_init() fails:

  if ( ((int)$hit - (int)$_SESSION['lastaccess']) < $timeout ) {

Because it sees the last access as exactly ($timeout - 2) seconds ago.

This race condition will always exist if the refresh_delta value (Browser Refresh Delay) is 0. Should the browser refresh a second early, it will cause them to stay logged in and their $_SESSION['lastaccess'] gets rebased to the current time.

The description of the Browser Refresh Delay field in the settings page says:

Browser refresh delay:

The length of time, in seconds, after a timeout that a browser refresh is forced. Setting this to -1 (negative number) disables the browser refresh facility entirely.

It is not clear from this description that you need to set this value to > 0. Although it just seems to work at 0 for most browsers, it is clearly a race condition and just good luck. I think we should default it to 10, and say something in the description like:

Browser refresh delay:

The length of time, in seconds, after a timeout that a browser refresh is forced. A small value of 5 - 10 seconds is usually sufficient. Setting this to -1 (negative number) disables the browser refresh facility entirely.

I couldn't find any other issues on this subject for the module, but it was consistently happening for me in IE8 on one site regardless of which server it was on.

Comments

johnennew’s picture

Status: Active » Closed (won't fix)

Closing old issue