Claudio Kuenzler wrote: > On Tue, May 1, 2012 at 12:49 PM, A.L.E.C <[email protected] > <mailto:[email protected]>> wrote: > > Digging into session issues I've found this keep-alive thing a little > bit overcomplicated and unclear. The keep-alive setting handles two > things: session keeping and new-mail checking. Some plugins also bind to > keep-alive to do some recurring actions (e.g. to display calendar > alarms, etc.). > > I think we should split these functionalities. So keep-alive action > should be used only for session keeping. In such case we need to execute > keep-alive action only after some inactivity time (e.g. session_lifetime > - 1min [or 5%]). It means timer should be resetted on every reequest. > Also it means we don't need a separate config option, because the > interval would be calculated from session_lifetime. For > session_lifetime=0 there would be no keep-alive requests. > > > Wasn't the whole keep-alive timer removed in change 6135 ?
Nope, that wasn't removed. I removed the separate request_timeout timer but set a timeout to the jquery ajax api instead. > > By the way, since applying R6134 and 6135, the following entries are added > every 5min to sessions log: > > [01-May-2012 12:40:58 +0200]: Session auth check failed for > tmuc32t92k18dhpn0brnjtcra6; timeslot = 2012-05-01 12:40:00 > [01-May-2012 12:40:58 +0200]: Send new auth cookie for > tmuc32t92k18dhpn0brnjtcra6: S53fabb9110e91180a0496334c87df7aac72d70d9 > [...] That's correct and I assume to have log_session enabled in config. The auth cookie is valid for 5 minutes (session_lifetime / 2) and is then replaced with a new value. That process is logged here for debugging purposes. The whole session auth cookie is meant to be an additional protection against session hijacking because it changes during a session whereas the actual session cookie doesn't. ~Thomas _______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
