sec-mod: do not export expired entries to cookies list op

Also combined macro to determine expired entries.

src/sec-mod-auth.c

@@ -384,7 +384,7 @@ int handle_secm_session_open_cmd(sec_mod_st *sec, int fd, const SecmSessionOpenM
 		return send_failed_session_open_reply(sec, fd);
 	}
 
-	if (e->time != -1 && time(0) > e->time + sec->config->cookie_timeout) {
+	if IS_CLIENT_ENTRY_EXPIRED(sec, e, time(0)) {
 		seclog(sec, LOG_ERR, "session expired; denied session for user '%s' "SESSION_STR, e->acct_info.username, e->acct_info.psid);
 		e->status = PS_AUTH_FAILED;
 		return send_failed_session_open_reply(sec, fd);

src/sec-mod-cookies.c

@@ -48,6 +48,7 @@ void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec)
 	struct htable_iter iter;
 	CookieIntMsg *cookies;
 	int ret;
+	time_t now = time(0);
 
 	if (db == NULL) {
 		send_empty_reply(pool, fd, sec);
@@ -70,6 +71,9 @@ void handle_secm_list_cookies_reply(void *pool, int fd, sec_mod_st *sec)
 
 	t = htable_first(db, &iter);
 	while (t != NULL) {
+		if IS_CLIENT_ENTRY_EXPIRED(sec, t, now)
+			continue;
+
 		if (msg.n_cookies >= db->elems)
 			break;
 

src/sec-mod-db.c

@@ -168,8 +168,7 @@ void cleanup_client_entries(sec_mod_st *sec)
 
 	t = htable_first(db, &iter);
 	while (t != NULL) {
-		if (t->time != -1 && (now - t->time) > (sec->config->cookie_timeout + AUTH_SLACK_TIME) && 
-		    t->in_use == 0) {
+		if IS_CLIENT_ENTRY_EXPIRED_FULL(sec, t, now, 1) {
 			htable_delval(db, &iter);
 			clean_entry(sec, t);
 		}

src/sec-mod.h

@@ -68,6 +68,9 @@ typedef struct common_acct_info_st {
 	unsigned id;
 } common_acct_info_st;
 
+#define IS_CLIENT_ENTRY_EXPIRED_FULL(sec, e, now, clean) (e->time != -1 && (now - e->time) > (sec->config->cookie_timeout + (clean?AUTH_SLACK_TIME:0)) && e->in_use == 0)
+#define IS_CLIENT_ENTRY_EXPIRED(sec, e, now) IS_CLIENT_ENTRY_EXPIRED_FULL(sec, e, now, 0)
+
 typedef struct client_entry_st {
 	/* A unique session identifier used to distinguish sessions
 	 * prior to authentication. It is sent as cookie to the client