I'm looking at implementing sessions as processes and have a couple of questions about various yaws_* modules involved with cookies and sessions.

First off,  it looks to me like there is no correlation between cookie expiration and session expiration.  session1.yaws suggests that we create sessions with something like the following (i think I don't have the ttl & expire values matching up):

Cookie = yaws_api:new_cookie_session(Opaque,Ttl),
SetCookie = yaws_api:setcookie("foo",Cookie,"/",Ttl)

But I can't find where either the cookie or the session expiration is enforced.

yaws_session_server has a trav_ets function which detects session expiration, but the only place I can find that it's called is from yaws_session_server:handle_info(timeout,_).   I also can't find anybody issuing 'yaws_session_server ! timeout'.  Is there something that I'm missing or are sessions not automatically deleted?

Also from session1.yaws, to retrieve the opaque value for a session, one does:

Cookie  = yaws_api:find_cookie_val(Cookies,"foo"),
Opaque = yaws_api:cookieval_to_opaque(Cookie)

But it doesn't look to me like anybody is checking to see if the cookie has expired.   yaws_* is trusting that the user-agent will acknowledge the max-age attribute of the set-cookie2 header generated via yaws_api:setcookie(), which isn't required by rfc2965.

Again, the problems I see are:

1) yaws_session_server has a memory leak -- it never forgets about a session.
2) stale cookies are accepted by yaws_*.
3) put 1 & 2 together and there's the potential for a pretty big security hole.

Whether or not I'm right about all of this,  does anybody see value in a re-working of the session and cookie management?  I wouldn't mind working on it for yaws-2.0 ;)

One immediate improvement that I can see would be to merge new_cookie_session with setcookie and find_cookie_val with cookieval_to_opaque and add sanity checks at all places.

{ Cookie , SetCookie } = yaws_api:new_cookie_session("foo",Opaque,Ttl).
{ Cookie , Opaque     } = yaws_api:find_cookie_session("foo",Cookies).

Trav_ets() could possibly be replaced by using something like timer:send_after.  I'd also like to be able to know when a session is being deleted or when it times out.  I'm starting out with just passing in a callback, but I think there's some cooler ways to do it.

Thoughts?

-Adam