What i see is that each bakery site (slave or master, doesnt matter) rebakes the CHOCOLATECHIP cookie on every page load, if the page load happened with a valid CHOCOLATECHIP cookie present.

Commenting out this line in _bakery_taste_chocolatechip_cookie() (the call to _bakery_bake_chocolatechip_cookie()) stops this from happening, while SSO logins and SSO reg still seem to work.

My actual question is, why was this in the code? What have i broken by commenting this line out?

Thanks in advance,
huf

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

greggles’s picture

Category: support » bug

It definitely shouldn't do it on every page.

Could you provide this idea as a patch?

coltrane’s picture

Title: Why does bakery2.x-dev rebake the CHOCOLATECHIP cookie on every hook_boot() call? » Evaluate setting SSO cookie only during login

It is by design that the chocolatechip cookie is rebaked on every request, though I could not tell you why that is so, it's just always been there.

#1278168: SSO cookie reset before authentication is complete on subsite moves the setcookie to the login process of _bakery_taste_chocolatechip_cookie().

Further evaluation and testing is necessary here.

coltrane’s picture

Category: bug » task

Changing to a task.

coltrane’s picture

Title: Evaluate setting SSO cookie only during login » Set SSO cookie only on master
Version: 6.x-2.x-dev » 7.x-2.x-dev
Category: Task » Feature request
Issue summary: View changes
Status: Active » Needs review
FileSize
651 bytes
650 bytes

Here's D6 and D7 patches to only set the SSO cookie while on the master site. It's still doing so on every master page request but at least isn't doing so against sub-sites.

I think it can also be removed from every page request on master but here it is for testing first. This patch passes all SSO and data tests from https://github.com/bjeavons/bakery-chef

coltrane’s picture

Bakery's CHOCOLATECHIP cookie is set with an expire time "freshness" of 3600 after current time, by default. Removing the setcookie on every page request without changing that will mean the current user will lose their SSO after one hour.

Attached patch removes setting the SSO cookie on every request but extends it to expire with whatever is set for the main session cookie (by reading ini_get('session.cookie_lifetime')).

greggles’s picture

The ideas in comment #5 make sense to me.

ckng’s picture

#5 makes sense, tested working so far.

drumm’s picture

Issue tags: +affects drupal.org

It seems like we are running into this on Drupal.org. Various places in _bakery_taste_chocolatechip_cookie() check $cookie['master']. If the cookie is baked from a non-master site, then the // Create the account if it doesn't exist. code isn't entered.

drumm’s picture

Assigned: Unassigned » drumm
Status: Needs review » Needs work
Related issues: +#2421423: Getting logged out intermittently

I think this is a bit too aggressive, we do want to rebake cookies on master, so active sessions do not expire.

drumm’s picture

Status: Needs work » Needs review
FileSize
2.82 KB

Here is an updated patch that keeps the rebaking on master-only.

  • drumm committed 15a818c on 7.x-2.x
    Issue #1450842 by coltrane, drumm: Set SSO cookie only on master
    
drumm’s picture

Status: Needs review » Fixed

We've been running this successfully on Drupal.org for some time, committing.

I moved 6.x-2.x from being recommended to supported and do not plan to do any commits that far back.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.