From 8a696ab77de758eed28abc3a55bb18cf8993b318 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sun, 2 Sep 2012 19:51:12 +0200
Subject: [PATCH 1/2] Expect a comma seperated list of sessionIDs in session
 cookie

This allows people to be active on more than one group.
---
 doc/api/http_api.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/doc/api/http_api.md b/doc/api/http_api.md
index 335efb3c..bfde6086 100644
--- a/doc/api/http_api.md
+++ b/doc/api/http_api.md
@@ -151,7 +151,7 @@ Theses authors are bind to the attributes the users choose (color and name).
 -> can't be deleted cause this would involve scanning all the pads where this author was
 
 ### Session
-Sessions can be created between a group and an author. This allows an author to access more than one group. The sessionID will be set as a cookie to the client and is valid until a certain date. Only users with a valid session for this group, can access group pads. You can create a session after you authenticated the user at your web application, to give them access to the pads. You should save the sessionID of this session and delete it after the user logged out
+Sessions can be created between a group and an author. This allows an author to access more than one group. The sessionID will be set as a cookie to the client and is valid until a certain date. The session cookie can also contain multiple comma-seperated sessionIDs, allowing a user to edit pads in different groups at the same time. Only users with a valid session for this group, can access group pads. You can create a session after you authenticated the user at your web application, to give them access to the pads. You should save the sessionID of this session and delete it after the user logged out.
 
 * **createSession(groupID, authorID, validUntil)** creates a new session. validUntil is an unix timestamp in seconds <br><br>*Example returns:*
   * `{code: 0, message:"ok", data: {sessionID: "s.s8oes9dhwrvt0zif"}}`

From dad83d9b77356a8829d23fb6fe1ae15bf7631c14 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sun, 2 Sep 2012 19:51:40 +0200
Subject: [PATCH 2/2] Document multi-session cookie feature

---
 src/node/db/SecurityManager.js | 50 ++++++++++++++++------------------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index a092453a..c0efcf5b 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -36,15 +36,15 @@ var randomString = require('ep_etherpad-lite/static/js/pad_utils').randomString;
  * @param password the password the user has given to access this pad, can be null 
  * @param callback will be called with (err, {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx})
  */ 
-exports.checkAccess = function (padID, sessionID, token, password, callback)
+exports.checkAccess = function (padID, sessionCookie, token, password, callback)
 { 
   var statusObject;
 
   // a valid session is required (api-only mode)
   if(settings.requireSession)
   {
-    // no sessionID, access is denied
-    if(!sessionID)
+    // without sessionCookie, access is denied
+    if(!sessionCookie)
     {
       callback(null, {accessStatus: "deny"});
       return;
@@ -114,32 +114,30 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
             callback();
           });
         },
-        //get informations about this session
+        //get information about all sessions contained in this cookie
         function(callback)
         {
-          sessionManager.getSessionInfo(sessionID, function(err, sessionInfo)
-          {
-            //skip session validation if the session doesn't exists
-            if(err && err.message == "sessionID does not exist")
-            {
-              callback();
-              return;
-            }
-            
-            if(ERR(err, callback)) return;
-            
-            var now = Math.floor(new Date().getTime()/1000);
-            
-            //is it for this group? and is validUntil still ok? --> validSession
-            if(sessionInfo.groupID == groupID && sessionInfo.validUntil > now)
-            {
+          var sessionIDs = sessionCookie.split(',');
+          async.foreach(sessionIDs, function(sessionID) {
+            sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) {
+              //skip session if it doesn't exist
+              if(err && err.message == "sessionID does not exist") return;
+              
+              if(ERR(err, callback)) return;
+              
+              var now = Math.floor(new Date().getTime()/1000);
+              
+              //is it for this group?
+              if(sessionInfo.groupID != groupID) return;
+              
+              //is validUntil still ok?
+              if(sessionInfo.validUntil <= now) return;
+              
+              // There is a valid session
               validSession = true;
-            }
-            
-            sessionAuthor = sessionInfo.authorID;
-            
-            callback();
-          });
+              sessionAuthor = sessionInfo.authorID;
+            });
+          }, callback)
         },
         //get author for token
         function(callback)