QUESTION: Is there a better way to 'touch' the session file to extend the session than opening it for append, then closing it? The goal is to update the mtime without altering the file contents.
That's probably the best method. I googled for the source to touch.c, and found one version that actually read the first byte, rewound the file, and wrote it back.
Anyway, I have been working on session handling. I found this MD5 library on SourceForge, and it appears to me that we can add the md5.c and md5.h files to our distribution (unchanged) and add a note where they came from, and how to get the entire package in our docs.
http://sourceforge.net/projects/libmd5-rfc/
You might be able to piggy-back off the md5 code in vpopmail...
I have added three defines in qmailadmin.h, that should actually be set by ./configure options:
SESSION_PATH - Where to store the session files.
SESSION_LIFETIME - How long (in seconds) until a session expires.
SESSION_SECRET - A string that should be different at each site that
is mixed into the MD5 hash. This should make it
harder for an outsider to guess session ID values.
I'm sure we can add these to the configure.in script. It might even be possible to randomly build SESSION_SECRET.
The session ID is currently the MD5 hash of the SESSION_SECRET and the current time. If anyone has a portable suggestion on increasing the randomness, please let me know.
You could read from /dev/random or /dev/urandom, if present. There's a patch pending for vpopmail that uses that device for random data.
If cookies are available I store the MD5 hash there, if not I pass it either in the URL of a link, or in a hidden field for forms. I no longer pass user, dom and time in any URLs. (But you can still set the fields on the login page by passing them.)
Excellent.
Logging in and logging out are working, but I have a problem if you logout and want to log back in. I want to delete the cookie from your browser when you logout, but if I do that then drop you into the login page things get confused and the login does not work.
Why doesn't it work? Are you drawing the page before you have a chance to send a blank cookie in the header?
Right now I am working around it by dropping you into a page that tells you that you are logged out, and providing a link back to login - but that does not currently maintain any user= and dom= passed when QmailAdmin was first run. I guess I can store them in the session file when you first login. Anyone have a better idea?
I am also continuing my attack on global variables, and increasing the use of function parms. Currently everything but the login/logout functions are very broken. When I am done the following global variables will be gone:
Password, Gecos, Quota, Time, Action, Newu, Password1, Password2, Crypted, Alias, AliasType, LineData, Message, SearchUser, Mytime and possibly others.
This is wonderful. Thanks for putting in the time and effort to clean this up.
It will be a few days before I post updated code...
Once 1.2.0 is released as final, I'll add you to SourceForge, branch CVS off for the 1.2 series, and you can take control of the development series with your work.
-- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
