Session DB Writeback
fractile81 - April 22, 2009 - 16:52
| Project: | Memcache API and Integration |
| Version: | 6.x-1.2 |
| Component: | Code |
| Category: | bug report |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | active |
Description
I've been testing the use of the Memcache session handling, and noticed that:
- There are no database writebacks for session information like there is for cache information.
sess_destroy_uid();is not implemented. Isn't that a security problem if a user is disabled while still logged in?
Perhaps there's a reasoning for this that I'm not able to see, but why shouldn't the session information be written back to the database? Is there a performance hit? If the writeback was there, it would be really easy to clear sessions by uid. I bring this up because I need to use the sess_destroy_uid(); function, but am unable to get my code to work when using Memcache session handling.
#1
+1
#2
The attached patch fixes this by looking up the memcache session by first retrieving the user object from memcache. It then uses this object to destroy the session. Please test.
#3
Whoops -- the previous patch had a typo. This one should work. Please test.
#4
There was a code path where the session id wasn't saved in the user object, causing the sess_destroy_uid() to fail. The attached patch is updated to fix this. It works in all my testing.
#5
Committed.
#6
Link to the commit for reference:
http://drupal.org/cvs?commit=237454
#7
Only one user session (probably latest) gets deleted.
<?phpfunction sess_destroy_uid($uid) {
+ $user = dmemcache_get($uid, 'users');
+ if (is_object($user) && isset($user->sid)) {
+ dmemcache_delete($user->sid, 'session');
+ }
+ dmemcache_delete($uid, 'users');
}
?>