Cor Bosman wrote:
Hey all, we use hardware loadbalancers that connect to apache to see if the server is still ok. It does not login.
I just realised these do actually create sessions, causing problems with garbage collection :(
I'm wondering why these session records cause problems with garbage collection. They do not differ from active session records...
Are connects without login supposed to create a session?
Yes, they are.
If so, why? This is with a relatively recent 0.7 from svn.
For security and performance reasons we only accept login attempts from browsers which have visited the login page before. Therefore a session record is created when a user opens the login page and a 'temp' flag is saved in order to check, whether the user is coming from the login page. Only if that is set, we forward the login attempt to the IMAP backend to authenticate.
That design was there right from the beginning and it seems to work well with default garbage collection settings. Check the 'session_lifetime' config setting in Roundcube. That controls the garbage collection together with PHP's session.gc_* settings.
~Thomas