anyone have a clue what aD was thinking when they wrote this bit of
3.2 code? I'm specifically looking at the block that begins
(slightly reformatted)
if {$ad_sec_session_id == "" ||
$last_issue > [ns_time] + [sec_session_timeout] ||
$last_issue + [sec_session_timeout] < [ns_time] } {
# No session or user ID yet (or last_issue is way in the
# future, or session is expired).
...
the first last_issue clause does test for "last issue being way in
the future" but the second makes no sense to me. Seems to me all
you really want is a check for
$last_issue + [sec_session_timeout] > [ns_time]
because that's the real meaning of "session has expired." Note this
automatically takes care of ANY "future." No idea why aD wanted
the "way" in the future a separate clause. Were they trying to do
something clever that I'm missing? Because this is definitely buggy
as it stands; sec_read_security_info will fail to call
ad_assign_session_id when $last_issue has timed out, but isn't yet an
additional [...timeout] time in the future. Then
ad_validate_security_info forces user to relogin.
