I have in my settings to not store a cookie, because I'd like affiliate sales to only be counted if someone clicked an affiliate link and purchased something in the same session. However, because of drupal's session handler, the session is always stored in the database until destroyed. The user would be able to leave and come back any time and purchase with that affiliate ID as long as they don't clear their cookies (which deletes their session cookie, and destroys the session).
To me, this seems like a bug. The only way to remove the session is to manually remove it from the session table and unset it from the global session variable. Anyone else have issues with this?
Comment | File | Size | Author |
---|---|---|---|
#14 | dropsession-1062402.patch | 8.4 KB | bkosborne |
Comments
Comment #1
bkosborneAnyone know this? I'm really worried about launching a site with this confusion
Comment #2
univate CreditAttribution: univate commentedI don't think there is anything this module can do about this. Session management is handled by drupal.
Maybe take a look at something like:
http://drupal.org/node/713218
Comment #3
bkosborneAh interesting. Learned a lot about session handling in drupal there. Setting the session expiration time to zero should fix this issue for me. Thanks
Comment #4
bkosborneActually I have a similar question regarding the wording of an option. In the affiliate settings, it says "Set the affiliate cookie for the visiting user.
By setting the cookie, the affiliate gets credited even when no affiliate id is present in links visited."
That wording does not seem to be entirely accurate... it should perhaps be worded to describe that the affiliate will be awarded a sale as long as the user visited an affiliate link in his current session, which lasts somewhere around three weeks by default with drupal.
Comment #5
univate CreditAttribution: univate commentedWe could check the PHP session variable and use that to inform users how long sessions will persist on their site with instructions on how to change in settings.php
Comment #6
bkosborneSounds good to me
Comment #7
bkosborneDoes anybody have any suggestions about how to handle the case where I only want the sale to count in the users browser session, aside from setting the session cookie life to 0?
Comment #8
bkosborneI'm changing the title of this because I'm adding this in a feature request. The ability to track affiliate sales by just the browser session alone is extremely important to several of my clients. Currently, as figured out above, the module stores affiliate information in the session variable. Sessions by default only last as long as the browser window is open, but Drupal overrides this by setting the session cookie lifetime to an extended period (several weeks).
This effectively eliminates the setting in the module for setting a cookie and it's lifetime - because it doesn't take into account that the session cookie lifetime could be longer than what the user desires here.
An easy fix would be to set the session cookie lifetime back to 0, but that would mean that Drupal wouldn't remember any log-ins, very annoying. I'm instead going to remove all session references from the module and replace them with cookies that expire when the browser closes (session cookies). This is the only feasible way I can think of short of passing the affiliate link into every drupal page load.
I'll post back when finished...
Comment #9
bojanz CreditAttribution: bojanz commentedI agree. We should switch to only using cookies. Thank you for working on this.
I agree that it eliminates the option to set a cookie, but no reason not to have the lifetime changeable.
Comment #10
gabash CreditAttribution: gabash commentedsubscribed
Comment #11
bkosborneWorking on it... hopefully have a patch up tomorrow or friday. I'm actually close to finished with it, came up with a pretty easy way to remove sessions from this.
Comment #12
gabash CreditAttribution: gabash commentedany ideas on how to patch the module so the affiliate is never saved to the cookie?
Comment #13
bkosborneShort of somehow passing the affiliate token around the site, it's not possible. Session identifiers are stored in cookies as well, so they pretty much (to my knowledge) need to be enabled to work.
The method I'm working on will give the option of a cookie lifetime, and if set to 0 it will make the cookie a session cookie, which closes out on browser close.
Comment #14
bkosbornePatched... against the latest dev release. This needs testing for sure, but I've done enough preliminary testing to confirm it works. I'd really just like to have someone look over my changes to make sure it's done okay.
Comment #15
bkosborneComment #16
bkosborneCan a maintainer please look at this? It's been months... the patch will need to be re-rolled but I want to know it will be looked at before I spend time on that.