Download & Extend

sess_destroy_uid() implementation only deletes latest session

Project:Memcache API and Integration
Version:6.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:needs review

Issue Summary

I've been testing the use of the Memcache session handling, and noticed that:

  1. There are no database writebacks for session information like there is for cache information.
  2. sess_destroy_uid(); is not implemented. Isn't that a security problem if a user is disabled while still logged in?

Perhaps there's a reasoning for this that I'm not able to see, but why shouldn't the session information be written back to the database? Is there a performance hit? If the writeback was there, it would be really easy to clear sessions by uid. I bring this up because I need to use the sess_destroy_uid(); function, but am unable to get my code to work when using Memcache session handling.

Comments

#1

Category:feature request» bug report

+1

#2

Status:active» needs review

The attached patch fixes this by looking up the memcache session by first retrieving the user object from memcache. It then uses this object to destroy the session. Please test.

AttachmentSize
memcache-session.inc_.patch 554 bytes

#3

Whoops -- the previous patch had a typo. This one should work. Please test.

AttachmentSize
memcache-session.inc_.patch 545 bytes

#4

There was a code path where the session id wasn't saved in the user object, causing the sess_destroy_uid() to fail. The attached patch is updated to fix this. It works in all my testing.

AttachmentSize
memcache-session.inc_.patch 1.01 KB

#5

Status:needs review» fixed

Committed.

#6

Link to the commit for reference:
http://drupal.org/cvs?commit=237454

#7

Status:fixed» active

Only one user session (probably latest) gets deleted.

<?php
function sess_destroy_uid($uid) {
$user = dmemcache_get($uid, 'users');
+  if (
is_object($user) && isset($user->sid)) {
+   
dmemcache_delete($user->sid, 'session');
+  }
dmemcache_delete($uid, 'users');
}
?>

#8

This could be fixed by storing an array of session IDs in the user object.

#9

Title:Session DB Writeback» sess_destroy_uid() implementation only deletes latest session
Version:6.x-1.2» 6.x-1.x-dev

This is related to #791888: sess_destroy_sid() does not remove the session cookie from the user's browser.

#10

Status:active» needs review

This still needs to be fixed for situations where a user has multiple browsers, each with a different session.

AttachmentSize
sess_destroy_uid-441842-10.patch 1.38 KB

#11

Patch for anyone else who still uses Drupal 5.

AttachmentSize
sess_destroy_uid-441842-11_D5.patch 1.51 KB

#12

Modified to prevent accumulation of dead sessions in the user object.

AttachmentSize
sess_destroy_uid-441842-12.patch 2.97 KB
sess_destroy_uid-441842-12_D5.patch 3.2 KB

#13

#12 looks reasonable, I applied it on production site