If a client do
- Open TCP Socket
- /* do something */
- Close TCP Socket (without calling CloseSecureChannel and/or CloseSession)
The server internally closes the TCP socket too as well as the related securechannel.
Is it correct, that the server does NOT cleanup the related session? Only after the session lifetime exceeded the session will be closed.
A Server application should limit the number of Sessions. To protect against misbehaving Clients and denial of service attacks, the Server shall close the oldest Session that is not activated before reaching the maximum number of supported Sessions.
- The session was already activated in server
- No CloseSession request was send, only a socket close was send from client to server
- Socket close causes removing securechannel in server
Beware the clients behaviour is not complaint in the situation but can happen for instance a docker container was killed. So the OS closes all sockets.
- Question: Removing securechannel causes Session to switch to "not activated" in server? IMHO not or where is this specified?
The Session and Subscription timeouts exists to give clients time to recover when communication is interrupted. So closing a socket without calling CloseSession means the timeouts need to be honoured because the Server cannot know if it was a network issue and the Client intends to reconnect or if it is gone forever.
The Server can override the timeouts requested if they are too long but other than that there are not any options available to Servers after ActiveSession is called successfully.