Continued questions about session management
See original GitHub issueHi,
I got some very good answers in issue #541, thanks for that.
You might consider adding some more info about sessions to the Javalin docs. As it is, the doc mentions that attribute
and sessionAttribute
exist, but it doesn’t explain any of their behaviors, or what the differences are.
I got the authentication and role handling down now, however I’m not quite there yet with Sessions.
This table stores the sessions in my Postgres:
sessions=# select * from jettysessions;
sessionid | contextpath | virtualhost | lastnode | accesstime | lastaccesstime | createtime | cookietime | lastsavedtime | expirytime | maxinterval | map
----------------------------------+-------------+-------------+----------+---------------+----------------+---------------+------------+---------------+------------+-------------+--------------------
node01bzaiac35kiu218im1jn4yxukv0 | | 0.0.0.0 | node0 | 1554899734977 | 1554899733548 | 1554899540517 | 0 | 1554899734984 | 0 | -1 | \xaced [truncated]
(1 row)
Questions:
-
Will Javalin/Jetty ensure that sessions are removed from this table after a certain time, or do I need to write some housekeeping code? It doesn’t seem to be setting any expiry time so I’m a little worried.
-
How do I make a session persistent (“remember me”)? The default implementation seems to be to forget about the client when the browser is restarted. Javalin doesn’t seem to provide any entry point for manipulating the session cookie directly, unless I’m mistaken.
-
Likewise, how can I set the HttpOnly attribute on the JSESSIONID cookie? It should be useful to protect the session ID from being stolen by XSS or similar. (Ref. https://www.owasp.org/index.php/HttpOnly#Mitigating_the_Most_Common_XSS_attack_using_HttpOnly)
Thanks for your continued efforts in bringing us this excellent library!
Joel
Issue Analytics
- State:
- Created 4 years ago
- Comments:18 (6 by maintainers)
Top GitHub Comments
@tipsy I’m sure you know what I mean by a “remember me” checkbox on a login page?
I can’t find a way to change the variable sessionCookieConfig.maxAge other than globally, before I start the app, and in particular, I cannot set different Max-Ages on different sessions. (At least, that’s what I think after doing some digging in the Javalin code.)
I know I need a database store, but the same conclusion holds for RAM or File store - MaxAge is only configured per SessionHandler, isn’t it?
Thanks, that’s a very helpful update. Any more help and I’ll have to credit you as a co-author of my app! =)
I’ll try to write a small reproducer but it’ll have to be next week. I can open a bug ticket if I am really sure by then how to reproduce it.
(Edit: The below didn’t work after all)
For now, I thought I was able to get the desired result with this workaround in my “/login” endpoint:
It’s a bit of a kludge but it seemed to work in my integration tests. The cookie was set with an expiry time in 2087.
The only time I care about setting an expiry time is when a login succeeds, so it would have been good enough to do it there. However, when running this in a real browser, I see the login response has no less than three cookie entries, one with the old session ID, one autogenerated, and one manually generated. Of course, this means my problem is not solved…
Gah…
I tested using a FileSessionStore but same result.