[PATCH] Remove the per-user session limit

Wed, 29 Jul 2020 04:47:24 -0700 

This feature was originally introduced by
f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.

As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.

The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.
---
 aurweb/routers/sso.py     |  2 +-
 conf/config.defaults      |  1 -
 web/lib/acctfuncs.inc.php | 17 -----------------
 3 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 2e4fbacc..73c884a4 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -56,7 +56,7 @@ def open_session(request, conn, user_id):
         raise HTTPException(status_code=403, detail=_('Account suspended'))
         # TODO This is a terrible message because it could imply the attempt at
         #      logging in just caused the suspension.
-    # TODO apply [options] max_sessions_per_user
+
     sid = uuid.uuid4().hex
     conn.execute(Sessions.insert().values(
         UsersID=user_id,
diff --git a/conf/config.defaults b/conf/config.defaults
index 49259754..98e033b7 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -13,7 +13,6 @@ passwd_min_len = 8
 default_lang = en
 default_timezone = UTC
 sql_debug = 0
-max_sessions_per_user = 8
 login_timeout = 7200
 persistent_cookie_timeout = 2592000
 max_filesize_uncompressed = 8388608
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index ebabb840..bc603d3b 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -596,23 +596,6 @@ function try_login() {
 
        /* Generate a session ID and store it. */
        while (!$logged_in && $num_tries < 5) {
-               $session_limit = config_get_int('options', 
'max_sessions_per_user');
-               if ($session_limit) {
-                       /*
-                        * Delete all user sessions except the
-                        * last ($session_limit - 1).
-                        */
-                       $q = "DELETE s.* FROM Sessions s ";
-                       $q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
-                       $q.= "WHERE UsersId = " . $userID . " ";
-                       $q.= "ORDER BY LastUpdateTS DESC ";
-                       $q.= "LIMIT " . ($session_limit - 1) . ") q ";
-                       $q.= "ON s.SessionID = q.SessionID ";
-                       $q.= "WHERE s.UsersId = " . $userID . " ";
-                       $q.= "AND q.SessionID IS NULL;";
-                       $dbh->query($q);
-               }
-
                $new_sid = new_sid();
                $q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
                  ." VALUES (" . $userID . ", '" . $new_sid . "', " . 
strval(time()) . ")";
-- 
2.27.0

Reply via email to