From dad83d9b77356a8829d23fb6fe1ae15bf7631c14 Mon Sep 17 00:00:00 2001
From: Marcel Klehr <mklehr@gmx.net>
Date: Sun, 2 Sep 2012 19:51:40 +0200
Subject: [PATCH] Document multi-session cookie feature

---
 src/node/db/SecurityManager.js | 50 ++++++++++++++++------------------
 1 file changed, 24 insertions(+), 26 deletions(-)

diff --git a/src/node/db/SecurityManager.js b/src/node/db/SecurityManager.js
index a092453a..c0efcf5b 100644
--- a/src/node/db/SecurityManager.js
+++ b/src/node/db/SecurityManager.js
@@ -36,15 +36,15 @@ var randomString = require('ep_etherpad-lite/static/js/pad_utils').randomString;
  * @param password the password the user has given to access this pad, can be null 
  * @param callback will be called with (err, {accessStatus: grant|deny|wrongPassword|needPassword, authorID: a.xxxxxx})
  */ 
-exports.checkAccess = function (padID, sessionID, token, password, callback)
+exports.checkAccess = function (padID, sessionCookie, token, password, callback)
 { 
   var statusObject;
 
   // a valid session is required (api-only mode)
   if(settings.requireSession)
   {
-    // no sessionID, access is denied
-    if(!sessionID)
+    // without sessionCookie, access is denied
+    if(!sessionCookie)
     {
       callback(null, {accessStatus: "deny"});
       return;
@@ -114,32 +114,30 @@ exports.checkAccess = function (padID, sessionID, token, password, callback)
             callback();
           });
         },
-        //get informations about this session
+        //get information about all sessions contained in this cookie
         function(callback)
         {
-          sessionManager.getSessionInfo(sessionID, function(err, sessionInfo)
-          {
-            //skip session validation if the session doesn't exists
-            if(err && err.message == "sessionID does not exist")
-            {
-              callback();
-              return;
-            }
-            
-            if(ERR(err, callback)) return;
-            
-            var now = Math.floor(new Date().getTime()/1000);
-            
-            //is it for this group? and is validUntil still ok? --> validSession
-            if(sessionInfo.groupID == groupID && sessionInfo.validUntil > now)
-            {
+          var sessionIDs = sessionCookie.split(',');
+          async.foreach(sessionIDs, function(sessionID) {
+            sessionManager.getSessionInfo(sessionID, function(err, sessionInfo) {
+              //skip session if it doesn't exist
+              if(err && err.message == "sessionID does not exist") return;
+              
+              if(ERR(err, callback)) return;
+              
+              var now = Math.floor(new Date().getTime()/1000);
+              
+              //is it for this group?
+              if(sessionInfo.groupID != groupID) return;
+              
+              //is validUntil still ok?
+              if(sessionInfo.validUntil <= now) return;
+              
+              // There is a valid session
               validSession = true;
-            }
-            
-            sessionAuthor = sessionInfo.authorID;
-            
-            callback();
-          });
+              sessionAuthor = sessionInfo.authorID;
+            });
+          }, callback)
         },
         //get author for token
         function(callback)