in hook_boot there is :
if ( !isset($_SESSION['autologout_hits']) ) {
$_SESSION['autologout_hits'] = array();
}
$_SESSION['autologout_hits'][] = time();
so no matter anonymous or authenticated users, the session is created.
Then in hook_init, there is check to remove that session for anonymous users
// Clear session variable if you are not using autologout function and for anonymous users.
if ( isset($_SESSION['autologout_hits']) && (! _autologout_local_settings('enabled') || $user->uid == 0) ) {
unset($_SESSION['autologout_hits']);
}
Why not apply the same check in hook_boot, actually why do we need any autologout functions for anonymous users
Thanks
Comments
Comment #1
Anonymous (not verified) commentedComment #2
james.cartledge commentedPatched hook_boot because this messed up our cache headers as well as sending the session with every request.
Comment #3
sastha commentedApplying this patch completely removed 'autologout_hits' from logging. We ran Vulnerability scan for our site with thousands of users. For every anonymous user, this module store time stamp in 'sessions' table. The excessive time stamps for each hit lead to big UPDATE queries and filled the BINARY LOGs in MySQL. Ultimately, the site went down and crashed MySQL.
I suspect the problem is due to autologout_boot() function. Any idea how to resolve this?
Comment #4
johnennew commentedI am closing this issue as it is old and the 2.x branches are no longer supported. If anyone feels this is an issue in the 4.x branches please feel free to reopen.