Phew! I that I was going crazy.
if { $session_expr - [sec_session_renew] < [ns_time] } {
# LARS: We abandoned the use of sec_login_handler here. This lets people stay logged in forever
# if only they keep requesting pages frequently enough, but the alternative was that
# the situation where LoginTimeout = 0 (infinte) and the user unchecks the "Remember me" checkbox
# would cause users' sessions to expire as soon as the session needed to be renewed
sec_generate_session_id_cookie
}
This code breaks the sec_change_user_auth_token because it never checks the login auth_token if your session has not expired.
So I lose :) But it is a bug in the sec_handler not in sec_change_user_auth_token. I suggest we fix this instead of some magic code that runs on a future request.
