QUESTION: Is there a better way to 'touch' the session file to extend the session than opening it for append, then closing it? The goal is to update the mtime without altering the file contents.
hmm, interesting question. I don't see no other way then the one you described at the moment.
[...]
I have added three defines in qmailadmin.h, that should actually be set by ./configure options:
SESSION_PATH - Where to store the session files.
SESSION_LIFETIME - How long (in seconds) until a session expires.
SESSION_SECRET - A string that should be different at each site that is mixed into the MD5 hash. This should make it harder for an outsider to guess session ID values.
I think it would be good if we could make SESSION_SECRET independent from the configure-line. It should IMO be possible to run only ./configure without any options.
I think we should also add a probability how often the garbage collector is executed and deletes the expired session files. Executing it every time QmailAdmin is executed is IMO to much and slows it only down.
The session ID is currently the MD5 hash of the SESSION_SECRET and the current time. If anyone has a portable suggestion on increasing the randomness, please let me know.
Random numbers are more or less always generated out of the current time, but I think we perhaps could generate the SESSION_SECRET string randomly, too. Or repeat the hashing a random time (1-10 for example).
[...]
Logging in and logging out are working, but I have a problem if you logout and want to log back in. I want to delete the cookie from your browser when you logout, but if I do that then drop you into the login page things get confused and the login does not work. Right now I am working around it by dropping you into a page that tells you that you are logged out, and providing a link back to login - but that does not currently maintain any user= and dom= passed when QmailAdmin was first run. I guess I can store them in the session file when you first login. Anyone have a better idea?
Why get the things messed up? I would do a logout like 1) Delete the cookie/no more sids in the urls 2) Delete the session file on the server
On a relogin you create everything new as it would be the first login.
[...]
It will be a few days before I post updated code...
You are really doing a great job! Thanks.
Rick
Philipp
