When re-creating an expired session, re-use the

session ID number that they had before.  Although the client
browser is supposed to pick up the new session ID from the next
cookie and start using it, some badly configured clients do not
do this, causing many new sessions to be created.

diff --git a/webcit/context_loop.c b/webcit/context_loop.c
index e276383f7342b1b35f9bb702853a19fac1fbd7ba..7f18c09764e39107af46feb81fde7576ff5f14b0 100644 (file)
--- a/webcit/context_loop.c
+++ b/webcit/context_loop.c
@@ -441,7 +441,20 @@ void context_loop(int sock)
                memset(TheSession, 0, sizeof(struct wcsession));
                TheSession->serv_sock = (-1);
                TheSession->chat_sock = (-1);
-               TheSession->wc_session = GenerateSessionID();
+       
+               /* If we're recreating a session that expired, it's best to give it the same
+                * session number that it had before.  The client browser ought to pick up
+                * the new session number and start using it, but in some rare situations it
+                * doesn't, and that's a Bad Thing because it causes lots of spurious sessions
+                * to get created.
+                */     
+               if (desired_session == 0) {
+                       TheSession->wc_session = GenerateSessionID();
+               }
+               else {
+                       TheSession->wc_session = desired_session;
+               }
+
                strcpy(TheSession->httpauth_user, httpauth_user);
                strcpy(TheSession->httpauth_pass, httpauth_pass);
                pthread_mutex_init(&TheSession->SessionMutex, NULL);

diff --git a/webcit/cookie_conversion.c b/webcit/cookie_conversion.c
index 24e29ce740872f44a6bda5601b6ddba7862b2bf2..ad8717b07af0947d88e1e01f58e8ad08518758dd 100644 (file)
--- a/webcit/cookie_conversion.c
+++ b/webcit/cookie_conversion.c
@@ -86,6 +86,18 @@ void cookie_to_stuff(char *cookie, int *session,
                buf[i+1] = 0;
        }
 
+/* debug
+       char t[256];
+       extract_token(t, buf, 0, '|', sizeof t);
+       lprintf(9, "SESS: %s\n", t);
+       extract_token(t, buf, 1, '|', sizeof t);
+       lprintf(9, "USER: %s\n", t);
+       extract_token(t, buf, 2, '|', sizeof t);
+       lprintf(9, "PASS: %s\n", t);
+       extract_token(t, buf, 3, '|', sizeof t);
+       lprintf(9, "ROOM: %s\n", t);
+ debug */
+
        if (session != NULL)
                *session = extract_int(buf, 0);
        if (user != NULL)