artanis
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: session invalidation not working


From: Mortimer Cladwell
Subject: Re: session invalidation not working
Date: Sat, 27 Feb 2021 07:31:44 -0500

Hi Nala,

Using Artanis v0.5 with the #:valid 1 corrections session invalidation is still not working for me using Postgres i.e. sessions.valid never equals 0.  Below I evaluate (:session rc 'check) for various combinations of database table sessions.expires (time expired or not), sessions.valid (0 or 1) and cookie "sid" expires/max age (time expired or not).  I manually UPDATE the sessions table to achieve the desired combinations, some of which are contrived i.e. sessions.expires and cookie "sid" expires should always be the same but are different in some of my combinations below.

=====================

sessions.expires: not expired
sessions.valid: 1
cookie "sid" expires: not expired
(:session rc 'check): #t


sessions.expires: expired
sessions.valid: 1
cookie "sid" expires: not expired
(:session rc 'check): #f  (Artanis checks session.expires and indicates expired even if valid=1!! so valid is irrelevant (no - see below)?  Also, cookie "sid" is deleted)


sessions.expires: not expired
sessions.valid: 1
cookie "sid" expires: expired
(:session rc 'check): #t (Artanis ignores the cookie "sid" expiration time)


sessions.expires: not expired
sessions.valid: 0
cookie "sid" expires: not expired
(:session rc 'check): #f  (even though session.expires has not yet expired, valid=0 results in #f, so for (:session rc 'check)==#t, both sessions.expires and valid must be not expired and 1 respectively.  valid=0 does NOT result in removal of cookie "sid".

=======================

Is session invalidation working for anyone?
Thanks
Mortimer

On Tue, Feb 16, 2021 at 3:40 PM Mortimer Cladwell <mbcladwell@gmail.com> wrote:
Hi Nala,

Thanks for v0.5 which is being used below with Guile-3.0.5/Debian10/Postgres12.4

 In my Postgres table sessions I never see sessions.valid=0, always sessions.valid=1, even for sessions that are months old.
 
 I see in artanis/session.scm:
 
 (define (backend:session-destory/db sb sid)
  (let ((mt (map-table-from-DB (session-backend-meta sb))))
    (mt 'set 'Sessions #:valid "0")))

In my table valid is an integer, and you have a note  " (valid integer)))) ; 1 for valid, 0 for expired"  at line 178 confirming integer.
For postgres the update needs to look like:
 
 UPDATE sessions SET valid=0 WHERE sid='df4f759814491a9b85e40202c29fe11a';

Note no quotes around 0. Is that the problem?

In session.scm and oht.scm I see a lot of "destory".  Should that be "destroy"?
 
 Thanks
 Mortimer

reply via email to

[Prev in Thread] Current Thread [Next in Thread]