[PATCH] Remove the per-user session limit

Wed Jul 29 11:46:10 UTC 2020

This feature was originally introduced by
f961ffd9c7f2d3d51d3e3b060990a4fef9e56c1b as a fix for FS#12898
<https://bugs.archlinux.org/task/12898>.

As of today, it is broken because of the `q.SessionID IS NULL` condition
in the WHERE clause, which can’t be true because SessionID is not
nullable. As a consequence, the session limit was not applied.

The fact the absence of the session limit hasn’t caused any issue so
far, and hadn’t even been noticed, suggests the feature is unneeded.
---
 aurweb/routers/sso.py     |  2 +-
 conf/config.defaults      |  1 -
 web/lib/acctfuncs.inc.php | 17 -----------------
 3 files changed, 1 insertion(+), 19 deletions(-)

diff --git a/aurweb/routers/sso.py b/aurweb/routers/sso.py
index 2e4fbacc..73c884a4 100644
--- a/aurweb/routers/sso.py
+++ b/aurweb/routers/sso.py
@@ -56,7 +56,7 @@ def open_session(request, conn, user_id):
         raise HTTPException(status_code=403, detail=_('Account suspended'))
         # TODO This is a terrible message because it could imply the attempt at
         #      logging in just caused the suspension.
-    # TODO apply [options] max_sessions_per_user
+
     sid = uuid.uuid4().hex
     conn.execute(Sessions.insert().values(
         UsersID=user_id,
diff --git a/conf/config.defaults b/conf/config.defaults
index 49259754..98e033b7 100644
--- a/conf/config.defaults
+++ b/conf/config.defaults
@@ -13,7 +13,6 @@ passwd_min_len = 8
 default_lang = en
 default_timezone = UTC
 sql_debug = 0
-max_sessions_per_user = 8
 login_timeout = 7200
 persistent_cookie_timeout = 2592000
 max_filesize_uncompressed = 8388608
diff --git a/web/lib/acctfuncs.inc.php b/web/lib/acctfuncs.inc.php
index ebabb840..bc603d3b 100644
--- a/web/lib/acctfuncs.inc.php
+++ b/web/lib/acctfuncs.inc.php
@@ -596,23 +596,6 @@ function try_login() {
 
 	/* Generate a session ID and store it. */
 	while (!$logged_in && $num_tries < 5) {
-		$session_limit = config_get_int('options', 'max_sessions_per_user');
-		if ($session_limit) {
-			/*
-			 * Delete all user sessions except the
-			 * last ($session_limit - 1).
-			 */
-			$q = "DELETE s.* FROM Sessions s ";
-			$q.= "LEFT JOIN (SELECT SessionID FROM Sessions ";
-			$q.= "WHERE UsersId = " . $userID . " ";
-			$q.= "ORDER BY LastUpdateTS DESC ";
-			$q.= "LIMIT " . ($session_limit - 1) . ") q ";
-			$q.= "ON s.SessionID = q.SessionID ";
-			$q.= "WHERE s.UsersId = " . $userID . " ";
-			$q.= "AND q.SessionID IS NULL;";
-			$dbh->query($q);
-		}
-
 		$new_sid = new_sid();
 		$q = "INSERT INTO Sessions (UsersID, SessionID, LastUpdateTS)"
 		  ." VALUES (" . $userID . ", '" . $new_sid . "', " . strval(time()) . ")";
-- 
2.27.0
