Delete expired session files when there is no traffic

[cbandy]

Most HTTP requests create a file in the sessions directory. Open browsers call /misc/cleanup every five minutes, but session files can accumulate after browsers are closed.

This wakes periodically to delete expired sessions according to the CHECK_SESSION_FILES_INTERVAL setting.

Fixes: #1999
Fixes: #8355

[adityatoshniwal]

Hi @cbandy,
There shouldn't be any http request when the browser is closed then how are session files accumulated?
The health check URL /misc/ping doesn't generate any session file.

[cbandy]

There shouldn't be any http request when the browser is closed then how are session files accumulated?

We run in server mode, so a request can come from anywhere on our intranet. We trust most things not to be malicious there, but there's no guarantee.

Here's what my idle (no recent user activity) pgAdmin sessions directory looks like before and after one OWASP scan:

$ du -sh /var/lib/pgadmin/sessions
44.0K   /var/lib/pgadmin/sessions

$ du -sh /var/lib/pgadmin/sessions
19.4M   /var/lib/pgadmin/sessions

Running a more intensive scan or scanning daily would quickly fill this disk.

[adityatoshniwal]

In that case, I think cleanup_session_files can be removed from /misc/cleanup as it will be taken care by the new code.

[cbandy]

In that case, I think cleanup_session_files can be removed from /misc/cleanup as it will be taken care by the new code.

Done! I also moved the timer into a try..finally so it will recur if there is trouble with the session directory temporarily.