The existing session types mode setting, for whether to expire anonymous users or both anonymous & authenticated user sessions could be expanded to allow configuring which user roles should have their sessions expired. With the attached patch, the anonymous user role & authenticated user role can be selected to replicate the existing behaviour (and an update hook has been included in the patch to transform the setting appropriately), but other roles can be selected as well / instead to restrict the session expiring to certain roles (e.g. only users with certain elevated roles should have their sessions expired, for security, while leaving regular users' or anonymous users' sessions alive).

CommentFileSizeAuthor
#5 session_expire-select_roles-2370521-5.patch9.93 KBpachabhaiya
#4 session_expire-select_roles-2370521-4.patch4.98 KBpachabhaiya
#2 session_expire-select_roles-2370521-2.patch4.63 KBpachabhaiya
session_expire-select-roles.patch4.87 KBjames.williams

Comments

pachabhaiya’s picture

pachabhaiya commented
Assigned: Unassigned » pachabhaiya
Status: Needs review » Needs work
Issue tags: +Needs reroll

The attached patch does not apply cleanly in the latest 7.x-1.x-dev version. Looks like we have to re-roll the patch.
I'm assigning it to myself and will be re-rolling the patch.

pachabhaiya’s picture

pachabhaiya commented
Assigned: pachabhaiya » Unassigned
Status: Needs work » Needs review
Issue tags: -Needs reroll
StatusFileSize
new session_expire-select_roles-2370521-2.patch4.63 KB

There was a conflict in session_expire.module file when re-rolling. Conflicts fixed and patch rerolled.
Now it applies cleanly in the latest 7.x-1.x-dev version.

pachabhaiya’s picture

pachabhaiya commented

Works perfect for me.

pachabhaiya’s picture

pachabhaiya commented
StatusFileSize
new session_expire-select_roles-2370521-4.patch4.98 KB

Updated some comments and descriptions.

pachabhaiya’s picture

pachabhaiya commented
Status: Needs review » Needs work
StatusFileSize
new session_expire-select_roles-2370521-5.patch9.93 KB

It looks like there may be some potential issues with the $max_deletions not getting enforced as expected, in some (edge) cases. It appears that the backlog of sessions get processed from newest to oldest. The two problematic examples I came up with were:

1) If multiple users were to have a timestamp at exactly the same time, we could end up processing more than the limit expected.
OR
2) If more users log in more often than the cron run can process, it can leave some of the oldest sessions still around.

I think that switching to processing from oldest to newest could alleviate the issues mentioned above and/or switching to using the queue API for the deletions.

I have add the updated patch with some @todo comments.