From 46d4c7506e1bd7563d18e761cc6136d72496623f Mon Sep 17 00:00:00 2001
From: Geoff <geoff@fraek.ca>
Date: Sun, 6 Mar 2011 20:34:51 -0800
Subject: [PATCH 1/3] Expire users' token cookie if no longer valid.

---
 persistent_login.module | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/persistent_login.module b/persistent_login.module
index 9969b5c..416c3e6 100644
--- a/persistent_login.module
+++ b/persistent_login.module
@@ -253,6 +253,7 @@ function persistent_login_user($op, &$edit, &$account, $category = NULL) {
       }
       // If the password is modified, fall through to wipe all persistent logins.
     case 'delete':
+      _persistent_login_setcookie($cookie_name, '', time() - 86400);
       _persistent_login_invalidate($op, 'uid = %d', $account->uid);
       unset($_SESSION['persistent_login_check']);
       unset($_SESSION['persistent_login_login']);
@@ -323,10 +324,12 @@ function _persistent_login_check() {
     $r = db_fetch_array($res);
     if (!is_array($r) || count($r) == 0) {
       // $uid:$series is invalid
+      _persistent_login_setcookie($cookie_name, '', time() - 86400);
       return;
     }
     else if ($r['pl_expires'] > 0 && $r['pl_expires'] < time()) {
       // $uid:$series has expired
+      _persistent_login_setcookie($cookie_name, '', time() - 86400);
       return;
     }
 
@@ -393,6 +396,7 @@ function _persistent_login_check() {
 
       // Reset PL state in $_SESSION.
       $d = array();
+      _persistent_login_setcookie($cookie_name, '', time() - 86400);
       _persistent_login_invalidate('stolen', 'uid = %d', $uid);
       persistent_login_user('logout', $d, $user);
       // Delete all open sessions for this user.  Use $uid from the

From 0a826cab29603925322fba8b0991aaa76c51d0d2 Mon Sep 17 00:00:00 2001
From: Geoff Appleby <gapple@490940.no-reply.drupal.org>
Date: Sun, 11 Mar 2012 22:55:35 -0700
Subject: [PATCH 2/3] Simplified setcookie function, added clearcookie function

---
 persistent_login.module | 26 ++++++++++++++++----------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/persistent_login.module b/persistent_login.module
index 416c3e6..09c7f46 100644
--- a/persistent_login.module
+++ b/persistent_login.module
@@ -210,7 +210,7 @@ function persistent_login_user($op, &$edit, &$account, $category = NULL) {
     case 'logout':
       $cookie_name = _persistent_login_get_cookie_name();
       if (!empty($_COOKIE[$cookie_name])) {
-        _persistent_login_setcookie($cookie_name, '', time() - 86400);
+        _persistent_login_clearcookie();
         unset($_SESSION['persistent_login_check']);
         unset($_SESSION['persistent_login_login']);
         unset($_SESSION['persistent_login_reauth']);
@@ -253,7 +253,7 @@ function persistent_login_user($op, &$edit, &$account, $category = NULL) {
       }
       // If the password is modified, fall through to wipe all persistent logins.
     case 'delete':
-      _persistent_login_setcookie($cookie_name, '', time() - 86400);
+      _persistent_login_clearcookie();
       _persistent_login_invalidate($op, 'uid = %d', $account->uid);
       unset($_SESSION['persistent_login_check']);
       unset($_SESSION['persistent_login_login']);
@@ -324,12 +324,12 @@ function _persistent_login_check() {
     $r = db_fetch_array($res);
     if (!is_array($r) || count($r) == 0) {
       // $uid:$series is invalid
-      _persistent_login_setcookie($cookie_name, '', time() - 86400);
+      _persistent_login_clearcookie();
       return;
     }
     else if ($r['pl_expires'] > 0 && $r['pl_expires'] < time()) {
       // $uid:$series has expired
-      _persistent_login_setcookie($cookie_name, '', time() - 86400);
+      _persistent_login_clearcookie();
       return;
     }
 
@@ -396,7 +396,7 @@ function _persistent_login_check() {
 
       // Reset PL state in $_SESSION.
       $d = array();
-      _persistent_login_setcookie($cookie_name, '', time() - 86400);
+      _persistent_login_clearcookie();
       _persistent_login_invalidate('stolen', 'uid = %d', $uid);
       persistent_login_user('logout', $d, $user);
       // Delete all open sessions for this user.  Use $uid from the
@@ -434,7 +434,7 @@ function _persistent_login_create_cookie($acct, $edit = array()) {
   $expires = (isset($edit['pl_expires']) ? $edit['pl_expires'] : (($days > 0) ? time() + $days * 86400 : 0));
   $series  = (isset($edit['pl_series']) ? $edit['pl_series'] : drupal_get_token(uniqid(mt_rand(), TRUE)));
 
-  _persistent_login_setcookie($cookie_name, $acct->uid .':'. $series .':'. $token, $expires > 0 ? $expires : 2147483647);
+  _persistent_login_setcookie($acct->uid .':'. $series .':'. $token, $expires > 0 ? $expires : 2147483647);
 
   db_query("INSERT INTO {persistent_login} (uid, series, token, expires) VALUES (%d, '%s', '%s', %d)", $acct->uid, $series, $token, $expires);
   if (db_affected_rows() != 1) {
@@ -456,21 +456,27 @@ function _persistent_login_create_cookie($acct, $edit = array()) {
 }
 
 /**
- * Set a cookie with the same options as the session cookie.
+ * Set the persistent login cookie with the same options as the session cookie.
  *
- * @param $name
- *  The name of the cookie.
  * @param $value
  *  The value to store in the cookie.
  * @param $expire
  *   The time the cookie expires. This is a Unix timestamp so is in number of seconds
  *   since the epoch. By default expires when the browser is closed.
  */
-function _persistent_login_setcookie($name, $value, $expire = 0) {
+function _persistent_login_setcookie($value, $expire = 0) {
+  $name = _persistent_login_get_cookie_name();
   $params = session_get_cookie_params();
   setcookie($name, $value, $expire, $params['path'], $params['domain'], $params['secure']);
 }
 
+/**
+ * Remove the persistent login cookie.
+ */
+function _persistent_login_clearcookie() {
+  _persistent_login_setcookie('', time() - 86400);
+}
+
 /**
  * Get the name of the Persistent Login cookie.
  *

From d07eb3a820319ce274d00f742fb58366d4b87702 Mon Sep 17 00:00:00 2001
From: Geoff Appleby <gapple@490940.no-reply.drupal.org>
Date: Sun, 11 Mar 2012 23:05:21 -0700
Subject: [PATCH 3/3] Don't set checked variable in session unless successful

If a cookie is provided but does not validate it will be cleared
(added in commit 46d4c750), so only set the session cookie if the
validation is successful to avoid creating a session for anonymous users
---
 persistent_login.module | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/persistent_login.module b/persistent_login.module
index 09c7f46..f43a9d5 100644
--- a/persistent_login.module
+++ b/persistent_login.module
@@ -314,8 +314,6 @@ function _persistent_login_check() {
   $cookie_name = _persistent_login_get_cookie_name();
 
   if ($user->uid == 0 && isset($_COOKIE[$cookie_name]) && !isset($_SESSION['persistent_login_check'])) {
-    // For efficiency, only check once per session unless something changes.
-    $_SESSION['persistent_login_check'] = TRUE;
 
     list($uid, $series, $token) = explode(':', $_COOKIE[$cookie_name]);
 
@@ -339,6 +337,9 @@ function _persistent_login_check() {
     require_once './includes/theme.inc';
 
     if ($r['pl_token'] === $token) {
+      // For efficiency, only check once per session unless something changes.
+      $_SESSION['persistent_login_check'] = TRUE;
+
       // Delete the one-time use persistent login cookie.
       _persistent_login_invalidate('used', "uid = %d AND series = '%s'", $uid, $series);