Server Sessions: implement a mechanism to auto-close oldest unactivated session
In OPC UA specification part 4 §5.6.2.1 (v1.04) it is indicated:
A Server application should limit the number of Sessions. To protect against misbehaving Clients and denial of service attacks, the Server shall close the oldest Session that is not activated before reaching the maximum number of supported Sessions.
Implement this mechanism when the number of sessions will reach the maximum on next session creation, i.e. after a session creation. Add a check that a minimum time elapsed since the session creation to avoid closing the last session created immediately. As a consequence, also execute the auto-close mechanism before possible a session creation in case a session was not releasable immediately on previous auto-close check.