Problem/Motivation

The default services.yml will remove sessions from the database after 200000 seconds / ~2 days, which could occur while a user's cookie has not yet expired in the browser. Since TokenHandler checks for the existence of a session cookie to skip token validation, if the session handler doesn't remove the invalid session cookie from the request's cookie bag prior to TokenHandler acting, then PL will not initialize a new session for the user on that request (or until the request after the browser is told to remove the session cookie).

    # Set session lifetime (in seconds), i.e. the grace period for session
    # data. Sessions are deleted by the session garbage collector after one
    # session lifetime has elapsed since the user's last visit. When a session
    # is deleted, authenticated users are logged out, and the contents of the
    # user's session is discarded.
    # @default 200000
    gc_maxlifetime: 200000

Steps to reproduce

1. Log in with the "Remember Me" option
2. Delete sessions from the database
3. Visit a page on the site
Expected Behaviour: The PL token should be validated, and a new session started.
Current Behaviour: The PL token is not validated, and the page is loaded as an anonymous user. The response clears the session token, and refreshing the page will validate the PL token and login the user.

Proposed resolution

Replace the !$this->sessionConfiguration->hasSession($request) check in TokenHandler with one that actually checks that a valid session was initialized.

Remaining tasks

User interface changes

API changes

Data model changes

Issue fork persistent_login-3349484

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

gapple created an issue. See original summary.

gapple’s picture

gapple
he/they
Primary language English
commented

I tried !SessionManager::isStarted(), but that appears to also return true for anonymous requests.

It looks like \Drupal::currentUser()->isAnonymous() may be the best option?

gapple opened merge request !1

gapple’s picture

gapple
he/they
Primary language English
commented
Status: Active » Needs review
agileadam’s picture

agileadam
Location Maine, USA
commented

Brilliant! This fixes my issue #3347532: User appears logged out until clicking Login link.

  • gapple committed bbaeb4b4 on 8.x-1.x 
    Issue #3349484: Validate token if session cookie provided but user is...
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Needs review » Fixed

gapple closed merge request !1

gapple’s picture

gapple
he/they
Primary language English
commented
Status: Fixed » Needs work

The previous commit introduced an issue with the Request event ordering, and resulted in the Persistent Login instance being updated on every request, and could possibly cause issues with regenerating sessions and losing temporary data.

It looks like I had an incorrect assumption in 2015 that PL had to act prior to authentication (I was probably trying to ensure that it acted before permissions checks). At this point CurrentUser is always anonymous, so PL will always validate and regenerate the instance value. Placing PL's event handler immediately after AuthenticationProvider will cause CurrentUser to be an authenticated user as expected if a session was started.

gapple opened merge request !5

  • gapple committed 89e48477 on 8.x-1.x 
    Issue #3349484: Fix Request Event order
gapple’s picture

gapple
he/they
Primary language English
commented
Status: Needs work » Fixed

Bug will be fixed in 1.6

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.