Store creation time with session; delete old sessions

cgi-bin/malp.rb

@@ -14,10 +14,25 @@ cgi = CGI.new
 
 hostname = File.read("/etc/hostname").strip rescue "localhost"
 
+def load_sessions
+  return [] unless File.exist?(SESSIONS_FILE)
+  now = Time.now.to_i
+  max_age = 3 * 7 * 24 * 60 * 60 # 3 weeks
+  sessions = File.readlines(SESSIONS_FILE).filter_map do |line|
+    token, timestamp = line.strip.split(":", 2)
+    next if token.nil? || token.empty?
+    [token, timestamp.to_i]
+  end
+  active, expired = sessions.partition { |_, ts| now - ts < max_age }
+  if expired.any?
+    File.write(SESSIONS_FILE, active.map { |t, ts| "#{t}:#{ts}" }.join("\n") + "\n")
+  end
+  active
+end
+
 def valid_session?(token)
   return false if token.nil? || token.empty?
-  return false unless File.exist?(SESSIONS_FILE)
+  load_sessions.any? { |t, _| t == token }
-  File.readlines(SESSIONS_FILE).any? { |line| line.strip == token }
 end
 
 def check_credentials(username, password)
@@ -31,7 +46,7 @@ end
 
 def create_session
   token = SecureRandom.hex(32)
-  File.open(SESSIONS_FILE, "a") { |f| f.puts(token) }
+  File.open(SESSIONS_FILE, "a") { |f| f.puts("#{token}:#{Time.now.to_i}") }
   token
 end