you are fine as long as SessionInfoCacheInterval (I don't think this
is in the default openacs preferences file, but it should be; it's
used in ad-security) is much smaller than SessionCookieReissue. But
what can happen is, sec_read_security_info reissues the cookie per
SessionCookieReissue, which updates sec_sessions with the new
last_hit value BUT DEFERS THE UPDATE UNTIL THE CONN CLOSES. Thus
even though it flushes sec_get_session_info, the next call to
sec_get_session_info will reread THE VERY SAME INFORMATION it had
before, i.e. the "old" last_hit value, and unless
SessionInfoCacheInterval expires again before the session timeout
does the user will be asked to login again.
The reason this is such a problem is that it makes "remember me
forever" users relogin as well, since normally sec_read_security_info
provides them with a new session before they'd timeout. But since
sec_read_security_info uses the last_hit value from the cookie, and
ad_validate_security_info uses the (potentially incorrect) value from
the db cache, they'll get timed out and have to login manually. (Of
course it needs to use the value from the db, b/c we don't want to
blindly trust the cookie here, but for things to work the value in
the db needs to be correct.)
I don't see any way around this except removing the
ad_defer_dml "cleverness," performing the write immediately so
get_session_info reads the right value.
(The only other use of ad_defer_dml is in ad_set_client_property
which is unused as far as I can tell.)