[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: session invalidation not working

From: Mortimer Cladwell
Subject: Re: session invalidation not working
Date: Tue, 23 Mar 2021 02:10:12 -0400

Hi Nala,
I agree it seems redundant and could be removed. Currently i compare expires to current-time to assess session validity so I would not miss it.

On Sun, Mar 21, 2021 at 10:39 PM Nala Ginrut <> wrote:

Hi Mortimer!
I found `valid' field seems unnecessary for the real cases. Although
expiration is just one of the reasons that a session could be invalid, in
real cases, we rarely invalidate a session other than expiration. Or we
can intendedly set it to be expired if we want it to be invalid.

So I'm inclined to remove the `valid' field, what do you think?

Best regards.

Mortimer Cladwell writes:

> Hi Nala,
> Using Artanis v0.5 with the #:valid 1 corrections session invalidation is
> still not working for me using Postgres i.e. sessions.valid never equals
> 0.  Below I evaluate (:session rc 'check) for various combinations of
> database table sessions.expires (time expired or not), sessions.valid (0 or
> 1) and cookie "sid" expires/max age (time expired or not).  I manually
> UPDATE the sessions table to achieve the desired combinations, some of
> which are contrived i.e. sessions.expires and cookie "sid" expires should
> always be the same but are different in some of my combinations below.
> =====================
> sessions.expires: not expired
> sessions.valid: 1
> cookie "sid" expires: not expired
> (:session rc 'check): #t
> sessions.expires: expired
> sessions.valid: 1
> cookie "sid" expires: not expired
> (:session rc 'check): #f  (Artanis checks session.expires and indicates
> expired even if valid=1!! so valid is irrelevant (no - see below)?  Also,
> cookie "sid" is deleted)
> sessions.expires: not expired
> sessions.valid: 1
> cookie "sid" expires: expired
> (:session rc 'check): #t (Artanis ignores the cookie "sid" expiration time)
> sessions.expires: not expired
> sessions.valid: 0
> cookie "sid" expires: not expired
> (:session rc 'check): #f  (even though session.expires has not yet expired,
> valid=0 results in #f, so for (:session rc 'check)==#t, both
> sessions.expires and valid must be not expired and 1 respectively.  valid=0
> does NOT result in removal of cookie "sid".
> =======================
> Is session invalidation working for anyone?
> Thanks
> Mortimer
> On Tue, Feb 16, 2021 at 3:40 PM Mortimer Cladwell <>
> wrote:
>> Hi Nala,
>> Thanks for v0.5 which is being used below with
>> Guile-3.0.5/Debian10/Postgres12.4
>>  In my Postgres table sessions I never see sessions.valid=0, always
>> sessions.valid=1, even for sessions that are months old.
>>  I see in artanis/session.scm:
>>  (define (backend:session-destory/db sb sid)
>>   (let ((mt (map-table-from-DB (session-backend-meta sb))))
>>     (mt 'set 'Sessions #:valid "0")))
>> In my table valid is an integer, and you have a note  " (valid integer))))
>> ; 1 for valid, 0 for expired"  at line 178 confirming integer.
>> For postgres the update needs to look like:
>>  UPDATE sessions SET valid=0 WHERE sid='df4f759814491a9b85e40202c29fe11a';
>> Note no quotes around 0. Is that the problem?
>> In session.scm and oht.scm I see a lot of "destory".  Should that be
>> "destroy"?
>>  Thanks
>>  Mortimer

GNU Powered it
GPL Protected it
GOD Blessed it
HFG - NalaGinrut
Fingerprint F53B 4C56 95B5 E4D5 6093 4324 8469 6772 846A 0058

reply via email to

[Prev in Thread] Current Thread [Next in Thread]