Generate new session IDs in the same format as hello randoms, with the

first 4 bytes a timestamp. Conveniently this means removing the
lexicographically first session id from a cache is removing the oldest
session.

2 files changed, 3 insertions, 3 deletions

diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index d1d9463e2..9027fbd2f 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -445,7 +445,7 @@ void Server::process_handshake_msg(Handshake_Type type,
          m_state->server_hello = new Server_Hello(
             m_writer,
             m_state->hash,
-            unlock(m_rng.random_vec(32)), // new session ID
+            make_hello_random(m_rng), // new session ID
             m_state->version(),
             choose_ciphersuite(m_policy, m_creds, cert_chains, m_state->client_hello),
             choose_compression(m_policy, m_state->client_hello->compression_methods()),
diff --git a/src/tls/tls_session_manager.cpp b/src/tls/tls_session_manager.cpp
index 72eb83c21..55c06bc16 100644
--- a/src/tls/tls_session_manager.cpp
+++ b/src/tls/tls_session_manager.cpp
@@ -86,8 +86,8 @@ void Session_Manager_In_Memory::save(const Session& session)
    if(m_max_sessions != 0)
       {
       /*
-      This removes randomly based on ordering of session ids.
-      Instead, remove oldest first?
+      We generate new session IDs with the first 4 bytes being a
+      timestamp, so this actually removes the oldest sessions first.
       */
       while(m_sessions.size() >= m_max_sessions)
          m_sessions.erase(m_sessions.begin());