Remove the per-user session limit

Message ID 20200729114610.GA646215@tsubame.mg0.fr
State New
Headers show
Series
  • Remove the per-user session limit
Related show

Commit Message

Frédéric Mangano-Tarumi July 29, 2020, 11:46 a.m. UTC
This feature was originally introduced by
f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.

As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.

The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.
---
 aurweb/routers/sso.py     |  2 +-
 conf/config.defaults      |  1 -
 web/lib/acctfuncs.inc.php | 17 -----------------
 3 files changed, 1 insertion(+), 19 deletions(-)

Comments

Lukas Fleischer Aug. 2, 2020, 1:23 p.m. UTC | #1
On Wed, 29 Jul 2020 at 07:46:10, Frédéric Mangano-Tarumi wrote:
> This feature was originally introduced by
> f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
> <https://bugs.archlinux.org/task/12898>.
> 
> As of today, it is broken because of the `q.SessionID IS NULL` condition
> in the WHERE clause, which can\u2019t be true because SessionID is not
> nullable. As a consequence, the session limit was not applied.
> 
> The fact the absence of the session limit hasn\u2019t caused any issue so
> far, and hadn\u2019t even been noticed, suggests the feature is unneeded.
> ---
>  aurweb/routers/sso.py     |  2 +-
>  conf/config.defaults      |  1 -
>  web/lib/acctfuncs.inc.php | 17 -----------------
>  3 files changed, 1 insertion(+), 19 deletions(-)

Merged into pu, thanks!

Patch

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 2e4fbacc..73c884a4 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -56,7 +56,7 @@  def open_session(request, conn, user_id):
         raise HTTPException(status_code=403, detail=_('Account suspended'))
         # TODO This is a terrible message because it could imply the attempt at
         #      logging in just caused the suspension.
-    # TODO apply [options] max_sessions_per_user
+
     sid = uuid.uuid4().hex
     conn.execute(Sessions.insert().values(
         UsersID=user_id,
diff --git a/conf/config.defaults b/conf/config.defaults
index 49259754..98e033b7 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -13,7 +13,6 @@  passwd_min_len = 8
 default_lang = en
 default_timezone = UTC
 sql_debug = 0
-max_sessions_per_user = 8
 login_timeout = 7200
 persistent_cookie_timeout = 2592000
 max_filesize_uncompressed = 8388608
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index ebabb840..bc603d3b 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -596,23 +596,6 @@  function try_login() {
 
 	/* Generate a session ID and store it. */
 	while (!$logged_in && $num_tries < 5) {
-		$session_limit = config_get_int('options', 'max_sessions_per_user');
-		if ($session_limit) {
-			/*
-			 * Delete all user sessions except the
-			 * last ($session_limit - 1).
-			 */
-			$q = "DELETE s.* FROM Sessions s ";
-			$q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
-			$q.= "WHERE UsersId = " . $userID . " ";
-			$q.= "ORDER BY LastUpdateTS DESC ";
-			$q.= "LIMIT " . ($session_limit - 1) . ") q ";
-			$q.= "ON s.SessionID = q.SessionID ";
-			$q.= "WHERE s.UsersId = " . $userID . " ";
-			$q.= "AND q.SessionID IS NULL;";
-			$dbh->query($q);
-		}
-
 		$new_sid = new_sid();
 		$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
 		  ." VALUES (" . $userID . ", '" . $new_sid . "', " . strval(time()) . ")";