[RCD] keep-alive changes

Thomas Bruederli thomas at roundcube.net
Tue May 1 13:54:20 CEST 2012

Claudio Kuenzler wrote:
> On Tue, May 1, 2012 at 12:49 PM, A.L.E.C <alec at alec.pl
> <mailto:alec at alec.pl>> wrote:
>     Digging into session issues I've found this keep-alive thing a little
>     bit overcomplicated and unclear. The keep-alive setting handles two
>     things: session keeping and new-mail checking. Some plugins also bind to
>     keep-alive to do some recurring actions (e.g. to display calendar
>     alarms, etc.).
>     I think we should split these functionalities. So keep-alive action
>     should be used only for session keeping. In such case we need to execute
>     keep-alive action only after some inactivity time (e.g. session_lifetime
>     - 1min [or 5%]). It means timer should be resetted on every reequest.
>     Also it means we don't need a separate config option, because the
>     interval would be calculated from session_lifetime. For
>     session_lifetime=0 there would be no keep-alive requests.
> Wasn't the whole keep-alive timer removed in change 6135 ?

Nope, that wasn't removed. I removed the separate request_timeout timer but
set a timeout to the jquery ajax api instead.
> By the way, since applying R6134 and 6135, the following entries are added
> every 5min to sessions log:
> [01-May-2012 12:40:58 +0200]: Session auth check failed for
> tmuc32t92k18dhpn0brnjtcra6; timeslot = 2012-05-01 12:40:00
> [01-May-2012 12:40:58 +0200]: Send new auth cookie for
> tmuc32t92k18dhpn0brnjtcra6: S53fabb9110e91180a0496334c87df7aac72d70d9
> [...]

That's correct and I assume to have log_session enabled in config.
The auth cookie is valid for 5 minutes (session_lifetime / 2) and is then
replaced with a new value. That process is logged here for debugging
purposes. The whole session auth cookie is meant to be an additional
protection against session hijacking because it changes during a session
whereas the actual session cookie doesn't.


More information about the dev mailing list