[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: session invalidation not working
|
From: |
Nala Ginrut |
|
Subject: |
Re: session invalidation not working |
|
Date: |
Sat, 27 Feb 2021 22:35:31 +0800 |
|
User-agent: |
mu4e 1.4.15; emacs 27.1 |
Hi Mortimer!
I'm going to officially release our product in 1st March, so I'm busy on
it recently.
I'll take a look at this issue soon.
Best regards.
Mortimer Cladwell writes:
> Hi Nala,
>
> Using Artanis v0.5 with the #:valid 1 corrections session invalidation is
> still not working for me using Postgres i.e. sessions.valid never equals
> 0. Below I evaluate (:session rc 'check) for various combinations of
> database table sessions.expires (time expired or not), sessions.valid (0 or
> 1) and cookie "sid" expires/max age (time expired or not). I manually
> UPDATE the sessions table to achieve the desired combinations, some of
> which are contrived i.e. sessions.expires and cookie "sid" expires should
> always be the same but are different in some of my combinations below.
>
> =====================
>
> sessions.expires: not expired
> sessions.valid: 1
> cookie "sid" expires: not expired
> (:session rc 'check): #t
>
>
> sessions.expires: expired
> sessions.valid: 1
> cookie "sid" expires: not expired
> (:session rc 'check): #f (Artanis checks session.expires and indicates
> expired even if valid=1!! so valid is irrelevant (no - see below)? Also,
> cookie "sid" is deleted)
>
>
> sessions.expires: not expired
> sessions.valid: 1
> cookie "sid" expires: expired
> (:session rc 'check): #t (Artanis ignores the cookie "sid" expiration time)
>
>
> sessions.expires: not expired
> sessions.valid: 0
> cookie "sid" expires: not expired
> (:session rc 'check): #f (even though session.expires has not yet expired,
> valid=0 results in #f, so for (:session rc 'check)==#t, both
> sessions.expires and valid must be not expired and 1 respectively. valid=0
> does NOT result in removal of cookie "sid".
>
> =======================
>
> Is session invalidation working for anyone?
> Thanks
> Mortimer
>
> On Tue, Feb 16, 2021 at 3:40 PM Mortimer Cladwell <mbcladwell@gmail.com>
> wrote:
>
>> Hi Nala,
>>
>> Thanks for v0.5 which is being used below with
>> Guile-3.0.5/Debian10/Postgres12.4
>>
>> In my Postgres table sessions I never see sessions.valid=0, always
>> sessions.valid=1, even for sessions that are months old.
>>
>> I see in artanis/session.scm:
>>
>> (define (backend:session-destory/db sb sid)
>> (let ((mt (map-table-from-DB (session-backend-meta sb))))
>> (mt 'set 'Sessions #:valid "0")))
>>
>> In my table valid is an integer, and you have a note " (valid integer))))
>> ; 1 for valid, 0 for expired" at line 178 confirming integer.
>> For postgres the update needs to look like:
>>
>> UPDATE sessions SET valid=0 WHERE sid='df4f759814491a9b85e40202c29fe11a';
>>
>> Note no quotes around 0. Is that the problem?
>>
>> In session.scm and oht.scm I see a lot of "destory". Should that be
>> "destroy"?
>>
>> Thanks
>> Mortimer
>>
--
GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058
signature.asc
Description: PGP signature