I think that it would be good to have the content sharing user open session and then immediately logout and kill the session after each push. Ideally doing this through the module.
Right now, I have a lot of open sessions for the content sharing user. I am using the Automatic Logout module, and have had it set to auto logout after 20 mins., but had excluded the content sharing user from the 1-session rule.
Set the settings.php file to 0 (zero) for sessions_maxlife, and cookie_lifetime to 0 (zero) as well, in an effort to clear all the sessions and throttle them for future. Now, I have connection problems.
I also was using Login Security module to restrict login attempts. I have since disabled it in an effort to get Content Push to work; although, I suspect it was not interfering. Haven't yet confirmed.
So, how can these session and cookie settings be configured in a way to tighten security while allowing content push to continue?
[I am asking too, because I think that would be useful info. for documentation.]
Comments
Comment #1
greta_drupal CreditAttribution: greta_drupal commentedUpdate:
After more testing, I can preliminarily report content pushing success with both Automatic Logout (with cookie and session rules* enforced for the content sharing users) and the Login Security modules installed. Also with settings.php sessions and cookies lines set to zero:
* If you force the 1-session rule for content pushing and are pushing among multiple sites, be sure that you are not sharing the content recipient (a/k/a slave) user -- created on the master site. Create a unique content recipient user for each receiving site.
Would still like to know if you foresee any problem with these strict security settings.
[I am close to some really good documentation on this beast! Feel free to delete all my issue posts after that.]
Comment #2
joachim CreditAttribution: joachim commentedThe whole of a single content push happens in seconds, so I don't think the user getting logged out would affect it. In fact, when the slave site requests the content from the master, it's doing so acting as the webservice user, so it doesn't matter what the human user is doing by then.
I'm not sure why you need users to be logged out though... your use case sounds like something I hadn't envisaged at all.
Comment #3
greta_drupal CreditAttribution: greta_drupal commentedWell, I suppose that the content sharing roles could stay logged in indefinitely. To me, it is tidier (and more secure) that users log out and the sessions are cleared. It certainly makes it easier to troubleshoot when you see clear logins/logouts. IMO.