Obey SessionMaxAge for session expiration

Set the session and cookie expiration to the mod_session SessionMaxAge
expiry time, if it is shorter than the credential lifetime.

Signed-off-by: Matt Rogers <mrogers@redhat.com>
Reviewed-by: Simo Sorce <simo@redhat.com>
Closes #82

diff --git a/src/sessions.c b/src/sessions.c
index d99b92d..03efc89 100644 (file)
--- a/src/sessions.c
+++ b/src/sessions.c
@@ -221,7 +221,13 @@ void mag_attempt_session(struct mag_req_cfg *cfg, struct mag_conn *mc)
 
     gsessdata.established = mc->established?1:0;
     gsessdata.delegated = mc->delegated?1:0;
+
+    if (sess->expiry != 0) {
+        mc->expiration = mc->expiration < apr_time_sec(sess->expiry) ?
+                         mc->expiration : apr_time_sec(sess->expiry);
+    }
     gsessdata.expiration = mc->expiration;
+
     if (OCTET_STRING_fromString(&gsessdata.username, mc->user_name) != 0)
         goto done;
     if (OCTET_STRING_fromString(&gsessdata.gssname, mc->gss_name) != 0)