Improved session cleanup handling

Added session status "new" to mark sessions that are in the session database to reserve the session id but not resumable yet and that we want to separate from sessions that has been invalidated for further reuse.
author: Ingela Anderton Andin <[email protected]> 2011-11-15 10:21:25 +0100
committer: Ingela Anderton Andin <[email protected]> 2011-11-15 11:07:11 +0100
commit: 93c099b6a02ba8c98392a69d6224e3bfe3c69c8e (patch)
tree: 0293358721d9c295218e3f62f9bbd5fa7e04328e /lib/ssl/src
parent: e33d0c96674874270d879b7b2df17cff0606a94b (diff)
download: otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.tar.gz
otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.tar.bz2
otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.zip
3 files changed, 37 insertions, 25 deletions
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 9c658ecfba..0c44d3ae90 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -352,8 +352,7 @@ hello(start, #state{host = Host, port = Port, role = client,
     State1 = State0#state{connection_states = CS2,
 			 negotiated_version = Version, %% Requested version
 			  session =
-			      Session0#session{session_id = Hello#client_hello.session_id,
-					       is_resumable = false},
+			      Session0#session{session_id = Hello#client_hello.session_id},
 			  tls_handshake_hashes = Hashes1},
     {Record, State} = next_record(State1),
     next_state(hello, Record, State);
@@ -2008,16 +2007,16 @@ next_state_is_connection(State0) ->
 					       public_key_info = undefined,
 					       tls_handshake_hashes = {<<>>, <<>>}}).
 
-register_session(_, _, _, #session{is_resumable = true} = Session) ->
-    Session; %% Already registered
-register_session(client, Host, Port, Session0) ->
+register_session(client, Host, Port, #session{is_resumable = new} = Session0) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Host, Port, Session),
     Session;
-register_session(server, _, Port, Session0) ->
+register_session(server, _, Port, #session{is_resumable = new} = Session0) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Port, Session),
-    Session.
+    Session;
+register_session(_, _, _, Session) ->
+    Session. %% Already registered
 
 invalidate_session(client, Host, Port, Session) ->
     ssl_manager:invalidate_session(Host, Port, Session);
@@ -2041,7 +2040,7 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User,
 	   %% We do not want to save the password in the state so that
 	   %% could be written in the clear into error logs.
 	   ssl_options = SSLOptions#ssl_options{password = undefined},	   
-	   session = #session{is_resumable = false},
+	   session = #session{is_resumable = new},
 	   transport_cb = CbModule,
 	   data_tag = DataTag,
 	   close_tag = CloseTag,
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index dcf310c535..21fc47a69f 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -278,25 +278,16 @@ handle_cast({register_session, Port, Session},
     CacheCb:update(Cache, {Port, NewSession#session.session_id}, NewSession),
     {noreply, State};
 
-%%% When a session is invalidated we need to wait a while before deleting
-%%% it as there might be pending connections that rightfully needs to look
-%%% up the session data but new connections should not get to use this session.
 handle_cast({invalidate_session, Host, Port,
 	     #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:update(Cache, {{Host, Port}, ID}, Session#session{is_resumable = false}),
-    TRef =
-	erlang:send_after(delay_time(), self(), {delayed_clean_session, {{Host, Port}, ID}}),
-    {noreply, State#state{last_delay_timer = TRef}};
+    invalidate_session(Cache, CacheCb, {{Host, Port}, ID}, Session, State);
 
 handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:update(Cache, {Port, ID}, Session#session{is_resumable = false}),
-    TRef =
-	erlang:send_after(delay_time(), self(), {delayed_clean_session, {Port, ID}}),
-    {noreply, State#state{last_delay_timer = TRef}};
+    invalidate_session(Cache, CacheCb, {Port, ID}, Session, State);
 
 handle_cast({recache_pem, File, LastWrite, Pid, From},
 	    #state{certificate_db = [_, FileToRefDb, _]} = State0) ->
@@ -320,7 +311,7 @@ handle_cast({recache_pem, File, LastWrite, Pid, From},
 %%				      {stop, reason(), #state{}}.
 %%
 %% Description: Handling all non call/cast messages
-%%-------------------------------------------------------------------- 
+%%-------------------------------------------------------------------
 handle_info(validate_sessions, #state{session_cache_cb = CacheCb,
 				      session_cache = Cache,
 				      session_lifetime = LifeTime
@@ -444,3 +435,20 @@ delay_time() ->
 	_ ->
 	   ?CLEAN_SESSION_DB
     end.
+
+invalidate_session(Cache, CacheCb, Key, Session, State) ->
+    case CacheCb:lookup(Cache, Key) of
+	undefined -> %% Session is already invalidated
+	    {noreply, State};
+	#session{is_resumable = new} ->
+	    CacheCb:delete(Cache, Key),
+	    {noreply, State};
+	_ ->
+	    %% When a registered session is invalidated we need to wait a while before deleting
+	    %% it as there might be pending connections that rightfully needs to look
+	    %% up the session data but new connections should not get to use this session.
+	    CacheCb:update(Cache, Key, Session#session{is_resumable = false}),
+	    TRef =
+		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key}),
+	    {noreply, State#state{last_delay_timer = TRef}}
+    end.
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index bf738649f6..df5d7e0146 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -103,9 +103,9 @@ select_session([], _, _) ->
 
 select_session(Sessions, #ssl_options{ciphers = Ciphers,
 				      reuse_sessions = ReuseSession}, OwnCert) ->
-    IsResumable = 
- 	fun(Session) -> 
- 		ReuseSession andalso (Session#session.is_resumable) andalso  
+    IsResumable =
+	fun(Session) ->
+		ReuseSession andalso resumable(Session#session.is_resumable) andalso
  		    lists:member(Session#session.cipher_suite, Ciphers)
 		    andalso (OwnCert == Session#session.own_certificate)
  	end,
@@ -147,10 +147,10 @@ is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache,
 	#session{cipher_suite = CipherSuite,
 		 own_certificate = SessionOwnCert,
 		 compression_method = Compression,
-		 is_resumable = Is_resumable,
+		 is_resumable = IsResumable,
 		 peer_certificate = PeerCert} = Session ->
 	    ReuseEnabled 
-		andalso Is_resumable  
+		andalso resumable(IsResumable)
 		andalso (OwnCert == SessionOwnCert)
 		andalso valid_session(Session, SecondLifeTime) 
 		andalso ReuseFun(SuggestedSessionId, PeerCert, 
@@ -158,3 +158,8 @@ is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache,
 	undefined ->
 	    false
     end.
+
+resumable(new) ->
+    false;
+resumable(IsResumable) ->
+    IsResumable.
author	Ingela Anderton Andin <[email protected]>	2011-11-15 10:21:25 +0100
committer	Ingela Anderton Andin <[email protected]>	2011-11-15 11:07:11 +0100
commit	93c099b6a02ba8c98392a69d6224e3bfe3c69c8e (patch)
tree	0293358721d9c295218e3f62f9bbd5fa7e04328e /lib/ssl/src
parent	e33d0c96674874270d879b7b2df17cff0606a94b (diff)
download	otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.tar.gz otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.tar.bz2 otp-93c099b6a02ba8c98392a69d6224e3bfe3c69c8e.zip