Download & Extend
Memcache API and Integration » Issues

sess_destroy_uid() implementation only deletes latest session

Posted by fractile81 on April 22, 2009 at 4:52pm
Project:Memcache API and Integration
Version:6.x-1.x-dev
Component:Code
Category:bug report
Priority:normal
Assigned:Unassigned
Status:needs review

Issue Summary

I've been testing the use of the Memcache session handling, and noticed that:

  1. There are no database writebacks for session information like there is for cache information.
  2. sess_destroy_uid(); is not implemented. Isn't that a security problem if a user is disabled while still logged in?

Perhaps there's a reasoning for this that I'm not able to see, but why shouldn't the session information be written back to the database? Is there a performance hit? If the writeback was there, it would be really easy to clear sessions by uid. I bring this up because I need to use the sess_destroy_uid(); function, but am unable to get my code to work when using Memcache session handling.

Login or register to post comments

Comments

#1

Posted by matt_paz on April 22, 2009 at 5:25pm
Category:feature request» bug report

+1

#2

Posted by Jeremy on July 13, 2009 at 8:50pm
Status:active» needs review

The attached patch fixes this by looking up the memcache session by first retrieving the user object from memcache. It then uses this object to destroy the session. Please test.

AttachmentSize
memcache-session.inc_.patch 554 bytes

#3

Posted by Jeremy on July 13, 2009 at 9:25pm

Whoops -- the previous patch had a typo. This one should work. Please test.

AttachmentSize
memcache-session.inc_.patch 545 bytes

#4

Posted by Jeremy on July 14, 2009 at 6:39pm

There was a code path where the session id wasn't saved in the user object, causing the sess_destroy_uid() to fail. The attached patch is updated to fix this. It works in all my testing.

AttachmentSize
memcache-session.inc_.patch 1.01 KB

#5

Posted by Jeremy on July 14, 2009 at 10:07pm
Status:needs review» fixed

Committed.

#6

Posted by Jeremy on July 14, 2009 at 10:08pm

Link to the commit for reference:
http://drupal.org/cvs?commit=237454

#7

Posted by doq on July 20, 2009 at 2:02pm
Status:fixed» active

Only one user session (probably latest) gets deleted.

<?php
function sess_destroy_uid($uid) {
$user = dmemcache_get($uid, 'users');
+  if (is_object($user) && isset($user->sid)) {
+    dmemcache_delete($user->sid, 'session');
+  }
dmemcache_delete($uid, 'users');
}
?>

#8

Posted by Darren Oh on November 11, 2010 at 5:22pm

This could be fixed by storing an array of session IDs in the user object.

#9

Posted by catch on February 4, 2011 at 7:33am
Title:Session DB Writeback» sess_destroy_uid() implementation only deletes latest session
Version:6.x-1.2» 6.x-1.x-dev

This is related to #791888: sess_destroy_sid() does not remove the session cookie from the user's browser.

#10

Posted by Darren Oh on April 21, 2011 at 6:59pm
Status:active» needs review

This still needs to be fixed for situations where a user has multiple browsers, each with a different session.

AttachmentSize
sess_destroy_uid-441842-10.patch 1.38 KB

#11

Posted by Darren Oh on April 21, 2011 at 7:05pm

Patch for anyone else who still uses Drupal 5.

AttachmentSize
sess_destroy_uid-441842-11_D5.patch 1.51 KB

#12

Posted by Darren Oh on May 16, 2011 at 4:48pm

Modified to prevent accumulation of dead sessions in the user object.

AttachmentSize
sess_destroy_uid-441842-12.patch 2.97 KB
sess_destroy_uid-441842-12_D5.patch 3.2 KB

#13

Posted by dberror on December 25, 2011 at 11:18am

#12 looks reasonable, I applied it on production site