Forum OpenACS Q&A: ad-security:sec_read_security_info

Posted by Jonathan Ellis on
anyone have a clue what aD was thinking when they wrote this bit of 3.2 code? I'm specifically looking at the block that begins (slightly reformatted)
    if {$ad_sec_session_id == "" || 
        $last_issue > [ns_time] + [sec_session_timeout] || 
        $last_issue + [sec_session_timeout] < [ns_time] } {
        # No session or user ID yet (or last_issue is way in the
        # future, or session is expired).
the first last_issue clause does test for "last issue being way in the future" but the second makes no sense to me. Seems to me all you really want is a check for
$last_issue + [sec_session_timeout] > [ns_time]
because that's the real meaning of "session has expired." Note this automatically takes care of ANY "future." No idea why aD wanted the "way" in the future a separate clause. Were they trying to do something clever that I'm missing? Because this is definitely buggy as it stands; sec_read_security_info will fail to call ad_assign_session_id when $last_issue has timed out, but isn't yet an additional [...timeout] time in the future. Then ad_validate_security_info forces user to relogin.
2: ignore this post (response to 1)
Posted by Jonathan Ellis on
there's something funky going on, b/c sessions are timing out when they shouldn't, but this code is fine.