On 2005.06.30, Bas Scheffers <[EMAIL PROTECTED]> wrote:
> > its life) ... then in your "session getter" you just check "is the
> > session expired," in which case, you go and unset/delete the session
> > from the cache.
> But what if the user never comes back? The thing would sit there forever.
If memory is that precious, then implement a scheduled proc that runs
every 5 minutes that sweeps dead sessions. It'll be "expensive" as it
has to do an O(n) scan of all sessions, examining their expiration
stamp, but when you've already decided in the speed vs. space trade-off
to favor space over speed, then that's fine.
> I would also plan to set the cookie to expire to a little after (their PC
> clock may be off!) what the session timeout is, so the cookie would not be
> sent at all anymore if your session timeout is 30 mins and they come back
> after an hour. This would mean re-sending the cookie on every request, of
> course.
Yeah, that whole "lets send an absolute time in the Set-Cookie header
for expiration stamp instead of a relative time" was pretty bone-headed.
Set your client's system clock ahead one day, then surf a bunch of sites
and see how many of them that depend on cookies just flat out break.
:-)
Also, I wonder if there's time-sensitive attacks that can be made on
servers (where part of the attack requires knowing the victim's system
clock), mining the data out of any Set-Cookie headers being sent. If
you can figure out that the server's setting a cookie that expires in,
say, a week ... just look at the Set-Cookie: header and subtract a week,
and you've got the system's system clock down to a second or two
resolution.
Perhaps sending the expire time should have random +/- 10 second jitter
added to it, just to defeat such an attack. Heh.
> > adopt one of the existing AOLserver C modules that has no official
> > maintainer and become the official maintainer. That'd be good ... :-)
> Hehe, who knows! Let me first get my bearings before jumping into other
> people's code, though. Is there a list of "orphaned" modules on the Wiki
> or elsewhere?
I was going to start one. Start by looking at this page:
http://panoptic.com/wiki/aolserver/modules
I know one module that many folks wanted to see improvements made to is
the nsperm module. I'm in favor of a better name (i.e., "nsauth") and
making it more feature-complete and stuff. That could be a great place
for you to bring some much-needed improvement to.
-- Dossy
--
Dossy Shiobara mail: [EMAIL PROTECTED]
Panoptic Computer Network web: http://www.panoptic.com/
"He realized the fastest way to change is to laugh at your own
folly -- then you can let go and quickly move on." (p. 70)
--
AOLserver - http://www.aolserver.com/
To Remove yourself from this list, simply send an email to <[EMAIL PROTECTED]>
with the
body of "SIGNOFF AOLSERVER" in the email message. You can leave the Subject:
field of your email blank.
