The README.txt for this module states
This is all backed up by a server side logout if js is disable or bypassed.
However, I have discovered that this is not always the case. If you have a site that does not use any custom roles (you have only authenticated and anonymous), then sessions will never be expired but hook_cron().
hook_cron() queries {user_roles} to determine what roles a user has. "authenticated user" is no a role that is stored in this table. Therefore, the check for if that role should be logged out always returns false (ie: _autologout_logout_role()).
Also, just an FYI, I had to trace through the module code to determine that unless the "Role Timeout: Enable each role to have its own timeout threshold" checkbox is checked (along with at least one individual role checkbox). To me, the description of the checkbox and the README implied that if the box is not selected, then the hook_cron() session destroyer would affect for all roles using the same logout time found in the main "Timeout value in seconds". This is not the case - there is no server-side logout logic that executes be default.
Annotated screenshot attached.
Comment | File | Size | Author |
---|---|---|---|
#3 | server_side_session_destroy-2090429-3.patch | 2.72 KB | ryan_courtnage |
Screenshot of problems | 47.36 KB | ryan_courtnage |
Comments
Comment #1
ryan_courtnage CreditAttribution: ryan_courtnage commentedComment #2
ryan_courtnage CreditAttribution: ryan_courtnage commentedIn autologout_cron(), we could just hard-code in the authenticated user role:
Comment #3
ryan_courtnage CreditAttribution: ryan_courtnage commentedI also discovered that the hook_cron does not honor user-specific timeout settings, nor does it honor the per-role settings. It was coded to only use the main "Timeout value in seconds" setting.
The attached patch applies against 6.x-4.x. It fixes the following issues for the server-side session deleting:
Comment #4
ryan_courtnage CreditAttribution: ryan_courtnage commentedComment #5
johnennew CreditAttribution: johnennew commentedHi @ryan_courtnage,
Thanks for your patch submission - I was never 100% convinced by the hook_cron code.
For the Drupal 7 version, the approach was slightly different. Are you able to check this alternative approach to see if it would be better to backport this to Drupal 6?
https://drupal.org/node/1315708#comment-7516809
Comment #6
ryan_courtnage CreditAttribution: ryan_courtnage commentedHi @ceng,
Not sure I understand. That D7 patch will delete old sessions for a user every time they log in. However, I don't see how it would delete my current active session, which is currently over the timeout limit. ex:
I do not have to login again, and therefore the session deleting code does not run. As far as I can tell, there would be nothing stopping me from using the site (because javascript is disabled).
If using hook_cron(), the server would be able to delete the user's session after step 3 above, forcing him to re-authenticate.