[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: session invalidation not working
|
From: |
Nala Ginrut |
|
Subject: |
Re: session invalidation not working |
|
Date: |
Mon, 22 Mar 2021 09:29:04 +0800 |
|
User-agent: |
mu4e 1.4.15; emacs 27.1 |
I'm taking look at this issue now.
Wait a moment.
Nala Ginrut writes:
> Hi Mortimer!
> I'm going to officially release our product in 1st March, so I'm busy on
> it recently.
> I'll take a look at this issue soon.
>
> Best regards.
>
> Mortimer Cladwell writes:
>
>> Hi Nala,
>>
>> Using Artanis v0.5 with the #:valid 1 corrections session invalidation is
>> still not working for me using Postgres i.e. sessions.valid never equals
>> 0. Below I evaluate (:session rc 'check) for various combinations of
>> database table sessions.expires (time expired or not), sessions.valid (0 or
>> 1) and cookie "sid" expires/max age (time expired or not). I manually
>> UPDATE the sessions table to achieve the desired combinations, some of
>> which are contrived i.e. sessions.expires and cookie "sid" expires should
>> always be the same but are different in some of my combinations below.
>>
>> =====================
>>
>> sessions.expires: not expired
>> sessions.valid: 1
>> cookie "sid" expires: not expired
>> (:session rc 'check): #t
>>
>>
>> sessions.expires: expired
>> sessions.valid: 1
>> cookie "sid" expires: not expired
>> (:session rc 'check): #f (Artanis checks session.expires and indicates
>> expired even if valid=1!! so valid is irrelevant (no - see below)? Also,
>> cookie "sid" is deleted)
>>
>>
>> sessions.expires: not expired
>> sessions.valid: 1
>> cookie "sid" expires: expired
>> (:session rc 'check): #t (Artanis ignores the cookie "sid" expiration time)
>>
>>
>> sessions.expires: not expired
>> sessions.valid: 0
>> cookie "sid" expires: not expired
>> (:session rc 'check): #f (even though session.expires has not yet expired,
>> valid=0 results in #f, so for (:session rc 'check)==#t, both
>> sessions.expires and valid must be not expired and 1 respectively. valid=0
>> does NOT result in removal of cookie "sid".
>>
>> =======================
>>
>> Is session invalidation working for anyone?
>> Thanks
>> Mortimer
>>
>> On Tue, Feb 16, 2021 at 3:40 PM Mortimer Cladwell <mbcladwell@gmail.com>
>> wrote:
>>
>>> Hi Nala,
>>>
>>> Thanks for v0.5 which is being used below with
>>> Guile-3.0.5/Debian10/Postgres12.4
>>>
>>> In my Postgres table sessions I never see sessions.valid=0, always
>>> sessions.valid=1, even for sessions that are months old.
>>>
>>> I see in artanis/session.scm:
>>>
>>> (define (backend:session-destory/db sb sid)
>>> (let ((mt (map-table-from-DB (session-backend-meta sb))))
>>> (mt 'set 'Sessions #:valid "0")))
>>>
>>> In my table valid is an integer, and you have a note " (valid integer))))
>>> ; 1 for valid, 0 for expired" at line 178 confirming integer.
>>> For postgres the update needs to look like:
>>>
>>> UPDATE sessions SET valid=0 WHERE sid='df4f759814491a9b85e40202c29fe11a';
>>>
>>> Note no quotes around 0. Is that the problem?
>>>
>>> In session.scm and oht.scm I see a lot of "destory". Should that be
>>> "destroy"?
>>>
>>> Thanks
>>> Mortimer
>>>
--
GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058
signature.asc
Description: PGP signature
- Re: session invalidation not working,
Nala Ginrut <=