From 69c52fdf8c3328b0b6ae283c7397964bf5933943 Mon Sep 17 00:00:00 2001
From: Josh Holtrop <jholtrop@gmail.com>
Date: Sun, 29 Mar 2026 21:22:45 -0400
Subject: [PATCH] Store creation time with session; delete old sessions

---
 cgi-bin/malp.rb | 21 ++++++++++++++++++---
 1 file changed, 18 insertions(+), 3 deletions(-)

diff --git a/cgi-bin/malp.rb b/cgi-bin/malp.rb
index 8393702..e567133 100755
--- a/cgi-bin/malp.rb
+++ b/cgi-bin/malp.rb
@@ -14,10 +14,25 @@ cgi = CGI.new
 
 hostname = File.read("/etc/hostname").strip rescue "localhost"
 
+def load_sessions
+  return [] unless File.exist?(SESSIONS_FILE)
+  now = Time.now.to_i
+  max_age = 3 * 7 * 24 * 60 * 60 # 3 weeks
+  sessions = File.readlines(SESSIONS_FILE).filter_map do |line|
+    token, timestamp = line.strip.split(":", 2)
+    next if token.nil? || token.empty?
+    [token, timestamp.to_i]
+  end
+  active, expired = sessions.partition { |_, ts| now - ts < max_age }
+  if expired.any?
+    File.write(SESSIONS_FILE, active.map { |t, ts| "#{t}:#{ts}" }.join("\n") + "\n")
+  end
+  active
+end
+
 def valid_session?(token)
   return false if token.nil? || token.empty?
-  return false unless File.exist?(SESSIONS_FILE)
-  File.readlines(SESSIONS_FILE).any? { |line| line.strip == token }
+  load_sessions.any? { |t, _| t == token }
 end
 
 def check_credentials(username, password)
@@ -31,7 +46,7 @@ end
 
 def create_session
   token = SecureRandom.hex(32)
-  File.open(SESSIONS_FILE, "a") { |f| f.puts(token) }
+  File.open(SESSIONS_FILE, "a") { |f| f.puts("#{token}:#{Time.now.to_i}") }
   token
 end