Comments (6)
Another use case is when a website only saves session data for the user and doesn't track http request statistics. That session should be gotten once via Get
but not resaved via touch. Maybe in this case (or in addition to the interval), what we need is an IsNew func to tell if the Session has been written to the data store or not.
from scs.
This code I suggested is theory - a number of things wrong with it. I've dug into the actual source to get a working example. Apologies around for my naiveté - part of the learning process with a new repo. I'll post a link here when I have s/thing.
from scs.
I have a working version of TouchWithInterval in a forked repo. From the commit history, you can see there are two underlying issues that needed to be addressed first. Just initiated a pull request for these.
from scs.
Touch
is a mechanism for updating the deadline without making any changes to the data. It's primarily used in the Use
middleware to update the deadline if - and only if - the user has set an IdleTimeout
on the session. You probably know all of that already : )
// There can be quite a few quick Touches that in turn result in writing to the data store.
// This can result in unecessary network traffic. For example, an http request may only
// load a session with user data but it doesn't save any data back to the store. This
// function helps prevent it from happening.
That's exactly the point of Touch
. It ensures that the deadline is always updated with each request when IdleTimeout
is enabled even if there there is no data changed or saved back to the store. In essence, it restarts the IdleTimeout
period whenever some activity is seen from the user, even if the session data itself doesn't change.
My instinct is that for something as critical as session data and timeouts, IdleTimeout
needs to be explicit and exacting about keeping a session alive if a user has been seen within a specific window, or timing it out if they haven't. Allowing developers to add an arbitrary interval which means that a deadline may not be updated - even if a user has been active - fundamentally breaks the exact and precise nature of the timeout.
While I understand that there's perfomance drawbacks of this, it's the tradeoff for having an accurate and exact IdleTimeout
, which I don't really want to compromise from a security point of view.
from scs.
WRT to the point about calling Touch
on static files, I really do think that the correct course of action is also the simplest - just don't use the session middleware on the static file routes.
from scs.
Thank you for the detailed explanation on Touch. That helps settle some of my thoughts.
I now see where my confusion comes from. IdleTimeout
is baked into the middleware but I couldn't write the equivalent third party middleware b/c IdleTimeout
is private. My middleware had a Touch
for every request and nudged me down the path of TouchWithInterval
.
I like that you placed the IdleTimeout
logic in a different function than Touch()
. It keeps Touch()
pure. Have you thought about moving the middleware IdleTimeout
logic to its own function? Maybe call it CheckIdleTimemout()
? Then call that function from the middleware? Along with a corresponding function definition, I think it might be clearer for third party middleware to know it should call that function.
Exposing Opts
is enough for anyone to replicate TouchWithInterval
inside middleware b/c the saved
property would be a value in data
. I don't see a use case for it right now but nice to know I could re-implement later.
I think this issue can be closed. I'm going to open up two new ones to discuss other ideas. Thanks for your help on this!
from scs.
Related Issues (20)
- Add Firestore support HOT 11
- Performance of Find() HOT 1
- Action on cookie create/update HOT 1
- panic in getSessionDataFromContext makes this package hard to work with HOT 8
- Can't find BuntDB store HOT 2
- Get all active sessions HOT 1
- Gin middleware HOT 3
- http.Flusher compatiability HOT 20
- With fiber HOT 4
- Let's go examples HOT 1
- constant panicing with chi v5 and pgxpool HOT 1
- Add a method to modify the deadline of the sessionData HOT 6
- NATs HOT 1
- Ignore GobCodec.Decode errors? HOT 3
- Possible to tag a new version? HOT 2
- Manually Set Token / Session ID? HOT 4
- Add example using gin
- Expose CtxStore interface to allow custom implementation HOT 1
- How to recover from corrupt session data? (or how to Destroy without loading the session) HOT 2
- Fails using ListenAndServeTLS HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from scs.