[RCD] keep-alive changes
thomas at roundcube.net
Tue May 1 13:54:20 CEST 2012
Claudio Kuenzler wrote:
> On Tue, May 1, 2012 at 12:49 PM, A.L.E.C <alec at alec.pl
> <mailto:alec at alec.pl>> wrote:
> Digging into session issues I've found this keep-alive thing a little
> bit overcomplicated and unclear. The keep-alive setting handles two
> things: session keeping and new-mail checking. Some plugins also bind to
> keep-alive to do some recurring actions (e.g. to display calendar
> alarms, etc.).
> I think we should split these functionalities. So keep-alive action
> should be used only for session keeping. In such case we need to execute
> keep-alive action only after some inactivity time (e.g. session_lifetime
> - 1min [or 5%]). It means timer should be resetted on every reequest.
> Also it means we don't need a separate config option, because the
> interval would be calculated from session_lifetime. For
> session_lifetime=0 there would be no keep-alive requests.
> Wasn't the whole keep-alive timer removed in change 6135 ?
Nope, that wasn't removed. I removed the separate request_timeout timer but
set a timeout to the jquery ajax api instead.
> By the way, since applying R6134 and 6135, the following entries are added
> every 5min to sessions log:
> [01-May-2012 12:40:58 +0200]: Session auth check failed for
> tmuc32t92k18dhpn0brnjtcra6; timeslot = 2012-05-01 12:40:00
> [01-May-2012 12:40:58 +0200]: Send new auth cookie for
> tmuc32t92k18dhpn0brnjtcra6: S53fabb9110e91180a0496334c87df7aac72d70d9
That's correct and I assume to have log_session enabled in config.
The auth cookie is valid for 5 minutes (session_lifetime / 2) and is then
replaced with a new value. That process is logged here for debugging
purposes. The whole session auth cookie is meant to be an additional
protection against session hijacking because it changes during a session
whereas the actual session cookie doesn't.
More information about the dev