[TWiki-Dev] [SVN] KennethLavrsen r12696 - twiki/branches/Patch04x01/lib/TWiki

[<de...@de...>]

Author: KennethLavrsen
Date: 2007-01-31 12:50:39 -0600 (Wed, 31 Jan 2007)
New Revision: 12696

Modified:
   twiki/branches/Patch04x01/lib/TWiki/Client.pm
Log:
Item3523: Simplification of session expiry code
This code is based only on mtime which is much faster
and much safer as we never read the session files


Modified: twiki/branches/Patch04x01/lib/TWiki/Client.pm
===================================================================
--- twiki/branches/Patch04x01/lib/TWiki/Client.pm	2007-01-31 18:43:03 UTC (rev 12695)
+++ twiki/branches/Patch04x01/lib/TWiki/Client.pm	2007-01-31 18:50:39 UTC (rev 12696)
@@ -371,45 +371,27 @@
 =cut
 
 sub expireDeadSessions {
-	my $time = time() || 0;
+    my $time = time() || 0;
     my $exp = $TWiki::cfg{Sessions}{ExpireAfter} || 36000; # 10 hours
     $exp = -$exp if $exp < 0;
 
-	opendir(D, $TWiki::cfg{Sessions}{Dir}) || return;
-	foreach my $file ( grep { /^(passthru|cgisess)_[0-9a-f]{32}/ } readdir(D) ) {
+    opendir(D, $TWiki::cfg{Sessions}{Dir}) || return;
+    foreach my $file ( grep { /^(passthru|cgisess)_[0-9a-f]{32}/ } readdir(D) ) {
         $file = TWiki::Sandbox::untaintUnchecked(
             $TWiki::cfg{Sessions}{Dir}.'/'.$file );
-		my @stat = stat( $file );
-        # Kill old files.
-		# Ignore tiny new files. They can't be complete sessions.
-        if( defined($stat[7]) ) {
-            my $lat = $stat[8] || $stat[9] || $stat[10] || 0;
-            unlink $file if( $time - $lat >= $exp );
-            next;
-		}
-
-        # Just kill passthru files
-        next if $file =~ /^passthru_/;
-
-		open(F, $file) || next;
-		my $session = <F>;
-		close F;
-
-        # SMELL: security hazard?
-        $session = TWiki::Sandbox::untaintUnchecked( $session );
-
-        my $D;
-		eval $session;
-		next if ( $@ );
-        # The session is expired if it is empty, hasn't been accessed in ages
-        # or has exceeded its registered expiry time.
-        if( !$D || $time >= $D->{_SESSION_ATIME} + $exp ||
-              $D->{_SESSION_ETIME} && $time >= $D->{_SESSION_ETIME} ) {
-            unlink( $file );
-            next;
-        }
-	}
-	closedir D;
+        my @stat = stat( $file );
+        # CGI::Session updates the session file each time a browser views a
+        # topic setting the access and expiry time as values in the file. This 
+        # also sets the mtime (modification time) for the file which is all we need.
+        # We know that the expiry time is mtime + $TWiki::cfg{Sessions}{ExpireAfter}
+        # so we do not need to waste execution time opening and reading the file.
+        # We just check the mtime. mtime is confirmed set in both Windows and Linux
+        # As a fallback we also check ctime. Files are deleted when they expire.
+        my $lat = $stat[9] || $stat[10] || 0;
+        unlink $file if ( $time - $lat >= $exp );
+        next;
+    }
+    closedir D;
 }
 
 =pod