Should session expiration time be reset upon each usage?

[briansmith]

I notice that in save_session we have:

value.set_times(ticketer::timebase(), recvd_ticket.new_ticket_lifetime, 0);

If I understand correctly, If the session was retrieved from the cached, this extends the lifetime of the ticket to the current time + its lifetime. However, I think if the session was retrieved from the cache then we should preserve its expiration time instead of extending it. Otherwise a session that is regularly resumed will never expire?

[Ralith]

Isn't the proper way to logically extend a session to issue a brand new ticket on the resumed session, rather than permitting reuse of the ticket any number of times?

[briansmith]

Isn't the proper way to logically extend a session to issue a brand new ticket on the resumed session, rather than permitting reuse of the ticket any number of times?

That is a good policy and is tracked in #466, if I'm understanding you correctly. That requires some cooperation from the server to issue the new tickets. We still need to handle the case where the peer isn't giving us any new tickets, which is what this issue (#657) is intended to address.