added config option 'persistent-cookies'

When it is set, it doesn't invalidate cookies after
user disconnection.

doc/sample.config

@@ -282,6 +282,11 @@ ban-reset-time = 300
 # between different networks.
 cookie-timeout = 300
 
+# If this is enabled (not recommended) the cookies will stay
+# valid even after a user manually disconnects. This may improve
+# roaming with some broken clients.
+#persistent-cookies = true
+
 # Whether roaming is allowed, i.e., if true a cookie is
 # restricted to a single IP address and cannot be re-used
 # from a different IP.

src/config.c

@@ -122,6 +122,7 @@ static struct cfg_options available_options[] = {
 	{ .name = "deny-roaming", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-utmp", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-dbus", .type = OPTION_BOOLEAN, .mandatory = 0 },
+	{ .name = "persistent-cookies", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "use-occtl", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "try-mtu-discovery", .type = OPTION_BOOLEAN, .mandatory = 0 },
 	{ .name = "ping-leases", .type = OPTION_BOOLEAN, .mandatory = 0 },
@@ -840,6 +841,7 @@ unsigned urlfw_size = 0;
 	READ_NUMERIC("cookie-timeout", config->cookie_timeout);
 	if (config->cookie_timeout == 0)
 		config->cookie_timeout = DEFAULT_COOKIE_RECON_TIMEOUT;
+	READ_TF("persistent-cookies", config->persistent_cookies, 0);
 
 	READ_NUMERIC("auth-timeout", config->auth_timeout);
 	READ_NUMERIC("idle-timeout", config->idle_timeout);

src/ocserv-args.def

@@ -359,6 +359,11 @@ ban-reset-time = 300
 # between different networks.
 cookie-timeout = 300
 
+# If this is enabled (not recommended) the cookies will stay
+# valid even after a user manually disconnects. This may improve
+# roaming with some broken clients.
+#persistent-cookies = true
+
 # Whether roaming is allowed, i.e., if true a cookie is
 # restricted to a single IP address and cannot be re-used
 # from a different IP.

src/sec-mod-auth.c

@@ -57,8 +57,6 @@
 # include <gssapi/gssapi_ext.h>
 #endif
 
-#define SESSION_STR "(session: %.5s)"
-
 void sec_auth_init(sec_mod_st * sec, struct perm_cfg_st *config)
 {
 	unsigned i;
@@ -548,15 +546,6 @@ int handle_sec_auth_session_close(int cfd, sec_mod_st *sec, const SecAuthSession
 	memset(&e->stats, 0, sizeof(e->stats));
 	expire_client_entry(sec, e);
 
-	if (e->in_use == 0 && (e->discon_reason == REASON_USER_DISCONNECT || e->discon_reason == REASON_SERVER_DISCONNECT)) {
-		seclog(sec, LOG_INFO, "invalidating session of user '%s' "SESSION_STR,
-			e->auth_info.username, e->auth_info.psid);
-		/* immediately disconnect the user */
-		del_client_entry(sec, e);
-	} else {
-		seclog(sec, LOG_INFO, "temporarily closing session for %s "SESSION_STR, e->auth_info.username, e->auth_info.psid);
-	}
-
 	return 0;
 }
 

src/sec-mod-db.c

@@ -188,6 +188,16 @@ void expire_client_entry(sec_mod_st *sec, client_entry_st * e)
 {
 	if (e->in_use > 0)
 		e->in_use--;
-	if (e->in_use == 0)
+	if (e->in_use == 0) {
 		e->time = time(0);
+
+		if (sec->config->persistent_cookies == 0 && (e->discon_reason == REASON_USER_DISCONNECT || e->discon_reason == REASON_SERVER_DISCONNECT)) {
+			seclog(sec, LOG_INFO, "invalidating session of user '%s' "SESSION_STR,
+				e->auth_info.username, e->auth_info.psid);
+			/* immediately disconnect the user */
+			del_client_entry(sec, e);
+		} else {
+			seclog(sec, LOG_INFO, "temporarily closing session for %s "SESSION_STR, e->auth_info.username, e->auth_info.psid);
+		}
+	}
 }

src/sec-mod.h

@@ -26,6 +26,8 @@
 #include <ccan/htable/htable.h>
 #include <base64.h>
 
+#define SESSION_STR "(session: %.5s)"
+
 typedef struct sec_mod_st {
 	gnutls_datum_t dcookie_key; /* the key to generate cookies */
 	uint8_t cookie_key[COOKIE_KEY_SIZE];

src/vpn.h

@@ -313,6 +313,7 @@ struct cfg_st {
 
 	unsigned deny_roaming; /* whether a cookie is restricted to a single IP */
 	time_t cookie_timeout;	/* in seconds */
+	unsigned persistent_cookies; /* whether cookies stay valid after disconnect */
 
 	time_t rekey_time;	/* in seconds */
 	unsigned rekey_method; /* REKEY_METHOD_ */