increased the default cookie rekey time to 3 days

doc/sample.config

@@ -311,9 +311,8 @@ cookie-timeout = 300
 # Cookie rekey time (in seconds)
 # The time after which the key used to encrypt cookies will be
 # refreshed. After this time the previous key will also be valid
-# for verification. It is recommended not to modify the default
-# value.
-cookie-rekey-time = 14400
+# for verification until the next rotation cycle.
+cookie-rekey-time = 259200
 
 # If this is enabled (not recommended) the cookies will stay
 # valid even after a user manually disconnects, and until they

src/cookies.h

@@ -30,7 +30,8 @@
 
 /* The time after a disconnection the cookie is valid */
 #define DEFAULT_COOKIE_RECON_TIMEOUT 120
-#define DEFAULT_COOKIE_REKEY_TIME 14400
+/* The time after a cookie key is rotated */
+#define DEFAULT_COOKIE_REKEY_TIME 259200
 
 int encrypt_cookie(void *pool, gnutls_datum_t *key, const Cookie *msg,
         uint8_t** ecookie, unsigned *ecookie_size);

src/ocserv-args.def

@@ -405,9 +405,8 @@ cookie-timeout = 300
 # Cookie rekey time (in seconds)
 # The time after which the key used to encrypt cookies will be
 # refreshed. After this time the previous key will also be valid
-# for verification. It is recommended not to modify the default
-# value.
-cookie-rekey-time = 14400
+# for verification until the next rotation cycle.
+cookie-rekey-time = 259200
 
 # If this is enabled (not recommended) the cookies will stay
 # valid even after a user manually disconnects, and until they