Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
What i see is that each bakery site (slave or master, doesnt matter) rebakes the CHOCOLATECHIP cookie on every page load, if the page load happened with a valid CHOCOLATECHIP cookie present.
Commenting out this line in _bakery_taste_chocolatechip_cookie() (the call to _bakery_bake_chocolatechip_cookie()) stops this from happening, while SSO logins and SSO reg still seem to work.
My actual question is, why was this in the code? What have i broken by commenting this line out?
Thanks in advance,
huf
Comment | File | Size | Author |
---|---|---|---|
#10 | 1450842.diff | 2.82 KB | drumm |
#5 | 1450842-bakery-sso-cookie-master-5-d7.patch | 2.72 KB | coltrane |
#5 | 1450842-bakery-sso-cookie-master-5-d6.patch | 2.7 KB | coltrane |
Comments
Comment #1
gregglesIt definitely shouldn't do it on every page.
Could you provide this idea as a patch?
Comment #2
coltraneIt is by design that the chocolatechip cookie is rebaked on every request, though I could not tell you why that is so, it's just always been there.
#1278168: SSO cookie reset before authentication is complete on subsite moves the setcookie to the login process of _bakery_taste_chocolatechip_cookie().
Further evaluation and testing is necessary here.
Comment #3
coltraneChanging to a task.
Comment #4
coltraneHere's D6 and D7 patches to only set the SSO cookie while on the master site. It's still doing so on every master page request but at least isn't doing so against sub-sites.
I think it can also be removed from every page request on master but here it is for testing first. This patch passes all SSO and data tests from https://github.com/bjeavons/bakery-chef
Comment #5
coltraneBakery's CHOCOLATECHIP cookie is set with an expire time "freshness" of 3600 after current time, by default. Removing the setcookie on every page request without changing that will mean the current user will lose their SSO after one hour.
Attached patch removes setting the SSO cookie on every request but extends it to expire with whatever is set for the main session cookie (by reading ini_get('session.cookie_lifetime')).
Comment #6
gregglesThe ideas in comment #5 make sense to me.
Comment #7
ckng#5 makes sense, tested working so far.
Comment #8
drummIt seems like we are running into this on Drupal.org. Various places in
_bakery_taste_chocolatechip_cookie()
check$cookie['master']
. If the cookie is baked from a non-master site, then the// Create the account if it doesn't exist.
code isn't entered.Comment #9
drummI think this is a bit too aggressive, we do want to rebake cookies on master, so active sessions do not expire.
Comment #10
drummHere is an updated patch that keeps the rebaking on master-only.
Comment #12
drummWe've been running this successfully on Drupal.org for some time, committing.
I moved 6.x-2.x from being recommended to supported and do not plan to do any commits that far back.