Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.First, thanks for the great module!
I am currently using the session_limit module to prevent a certain amount of sessions on a particular role/account. In my testing I have the account limited to 2 sessions and prevents any more until those are ended. I am relying on the automated logout module to end the sessions after a particular amount of time (1 min for testing). This works perfectly as long as the browser remains open, the timeout occurs as expected and the session is ended.
The problem comes when the user closes the browser before the timeout happens, in which case the session is now stuck and cannot be ended. The account quickly becomes locked without any access possible. Is there a way, or is automated logout supposed to, log-out the session even after the browser is closed?
Any ideas about this would be greatly appreciated. Thanks again!
- Riki
Comments
Comment #1
Liam McDermott CreditAttribution: Liam McDermott commentedHere's a first attempt at a patch. While it doesn't delete the session when they close the browser window, it does clean up sessions that should have expired when cron is run.
One thing to bear in mind is cron is using a different $_SESSION to the user, I would have liked to have loaded up the session and checked the
autologout_last, but had to usetimestampfrom {sessions} instead, because:1. There's no simple way of unserialising session data;
2. Switching between sessions using
session_id()is ... tweaky;3. Even if either of the above worked it can still be horribly broken if the user has the Suhosin hardened PHP patch applied and session data encrypted.
Comment #2
Liam McDermott CreditAttribution: Liam McDermott commentedThat last patch had a bug, I used the $result variable twice in two nested loops. Here's a better one.
Comment #3
RikiB CreditAttribution: RikiB commented#2 works perfectly. Thanks Liam!
Comment #4
RikiB CreditAttribution: RikiB commentedAfter more tests on multiple computers, the sessions are still not being completely removed during cron. Another approach may be needed.
Comment #5
Liam McDermott CreditAttribution: Liam McDermott commentedHere's a new patch with the cron problem fixed.
Comment #6
johnennew CreditAttribution: johnennew commentedI've committed the patch in #5 to 6.x-4.x branch as it looks like it's working great.
Changing to 7.x-4.x and needs work so this can be added to the 7.x-4.x branch if needed.
Comment #7
johnennew CreditAttribution: johnennew commentedI have a (possibly) cleaner solution to this problem and attach a patch for 7.x-4.x branch.
The current solution is to clean stale sessions up via cron which can be quite costly from cron and also means that you have to wait for cron to have worked before the session_limit module knows a user has a free session.
Instead, this patch cleans stale sessions at login. My initial testing shows this to be a valid solution but I'm going to write some automated tests to prove it in a cople of different situations.
I'd be interested in other's feedback on this approach.
Comment #8
johnennew CreditAttribution: johnennew commentedSame patch with tests showing stale sessions cleaned up at login.
Comment #9
johnennew CreditAttribution: johnennew commentedI like this approach so am committing to development 7.x-4.x branch. Will leave 6.x as it is for the time being.
Comment #10.0
(not verified) CreditAttribution: commentedchanged the wording a little