[RCD] Session Class Questions

Rodrigo Castillo rodrigo at corp.sonic.net
Wed Sep 11 23:13:28 CEST 2013


I'm exploring the rcmail_session class to hunt down some intermittent 
issues with untimely session expiration, and to develop a better 
remember_me extension (or attempt to get it into core...).

I came across the following code

...
      /**
      * Setter for session lifetime
      */
     public function set_lifetime($lifetime)
     {
         $this->lifetime = max(120, $lifetime);

         // valid time range is now - 1/2 lifetime to now + 1/2 lifetime
         $now = time();
         $this->now = $now - ($now % ($this->lifetime / 2));
     }
...
     /**

      * Create session cookie from session data
      *
      * @param int Time slot to use
      */
     function _mkcookie($timeslot)
     {
         $auth_string = "$this->key,$this->secret,$timeslot";
         return "S" . (function_exists('sha1') ? sha1($auth_string) : md5($auth_string));
     }
...
     /**
      * Check session authentication cookie
      *
      * @return boolean True if valid, False if not
      */
     function check_auth()
     {
...
         if ($result && $this->_mkcookie($this->now) != $this->cookie) {
...
     }

It's quite deliberate, and it made me curious as to the reasoning behind 
the decision not to simply include a 'created_at' and 'expires_at' 
within the cookie, which would simplify the validation of the timespan. 
Is the reason for security, or perhaps a load-balancing?


More information about the dev mailing list