I'm trying to build a simple web application with a user login.
I found this function in another post here.
func initSession(r *http.Request) *sessions.Session {
session, _ := store.Get(r, "mBoxStore")
if session.IsNew {
session.Options.Domain = "localhost"
session.Options.MaxAge = 10
session.Options.HttpOnly = false
session.Options.Secure = false
log.Println("Create New Session (cookie)")
} else {
log.Println("Use Old Session (old cookie)")
}
return session
}
The cookie expires after 10 seconds, but when i reload the page after e.g. 1 Minute
it use the old (expired) cookie.
In my browser (Firefox) i see the cookie with the right expire date.
I think it should create a new session with a new cookie or it is wrong ?
any tips ?
The reason you're seeing Use Old Session (old cookie) is because the session options are only being set when the cookie is first created. Each time you access the cookie before it expires (isNew == false) Options are not being set, and the defaults are overriding those you set on creation of the session. The default MaxAge is 86400 * 30 (one month).
You can verify this by:
Clearing all cookies for the site (i.e. localhost)
Bringing up a route in your browser
Checking the expiry date on the freshly created cookie - you'll see it's now + 10 seconds
Wait out that 10 seconds.
Refresh the page - your log should confirm it's a new cookie.
Now refresh the page before the cookie expires (i.e. within 10 seconds)
You'll see the expiry has an expiry of now + 1 month (the default).
This is why I suggest setting your session options once, on application startup. Only deviate if you are setting shorter cookie lifetimes for authentication security purposes, and in those cases use a different session name (i.e. _csrf_token with an expiry of 4 hours).
The code snippet you're using isn't really ideal either as it completely ignores any errors encountered when trying to retrieve a session. You might run into errors if your underlying session store is broken, and/or the user has cookies disabled.
Related
I am solving problem with cookie expiration which holds information about session with given user.
I tried this solution:
refresh cookie on each request in spring
but condition cookie.getValue().contentEquals(request.getSession().getId()) never pass
Our case: We have stored user session in redis, which has some expiration (for instance 30 min)
In spring we have configured cookie like this:
spring.session.timeout=1d
server.servlet.session.cookie.secure=true
server.servlet.session.cookie.http-only=true
server.servlet.session.cookie.max-age=1d
When user is working on website, session's expiration is renewed, but cookie has fixed expiration 1d, so in some moment remove all user data. We need set this cookie expiration by session, or automatically renew it. Is it possible? We are using boot 2.
By default every cookie acts as a session cookie which means cookie is expired as soon as the session ends(basically when the browser is closed). But you are overriding the default behaviour and making it a permanent cookie by adding server.servlet.session.cookie.max-age=1d Remove that property and it should work
Lets say session for an application is opened and its session expiry time is 15 min.
Scenarios:
Leaving the application for 15 min and doing some action after that - leading to Login Page.
In other way I am removing the Browser cookies by using (Ctrl+Shift+Del) and trying to navigate in the application - leading to Login Page.
The Question is: Will both of the above cases were one and the same or will there be any difference in the behavior.
The first scenario is based on a cookie expiring while the second one will have the cookie removed.
If you are guaranteed the refresh for the first case is made after the cookie expired, then the client behaviour will be the same (login page) although the internal workings will be different (check the cookie exists vs check its expiry date)
If you can't guarantee the operation will happen after the cookie expiry, then you won't get the same outcome.
Depending on what you do on the server, you might end up with multiple sessions for the same user in the second case, because the server doesn't know the user has deleted the cookie (there are mechanisms to compensate for this though).
In file app/config/session.php I've changed lifetime to 30 days. Using browser console I see that cookie is set correctly.
After an hour session cookie remains unchanged yet my auth session is lost.
I'm using native session driver. It's using the cookie, so as far as I understand session should remain valid till there's a cookie.
Any ideas why is this happening?
There are a few settings in your php.ini file that look like they could be impacting this functionality. I'm guessing the first one is probably the culprit since you are using cookies.
session.cookie_lifetime = 0
session.gc_maxlifetime = 1440
session.cache_expire = 180
In a web app am developing using express.js am having a problem expiring sessions when a user has not been active for more than 10 minutes. Am using connect-couchdb as the session store.
I tried setting the req.session.cookie.maxAge = 600000. But this causes the session to expire 10 mins after logging in irrespective of user activity. My understanding of the documentation is that req.session.touch() will be called automatically by the connect middleware and hence maxAge (and the expires date) should get refreshed so it lasts another 10 mins, but it is not happening!!
I also tried setting maxAge to 600000 on each request and calling req.session.save() but even then there is no effect.
What am I doing wrong?
You are not doing anything wrong---this is a bug in Connect. The session cookie gets updated in the server, but not pushed to the client, and so the client keeps trying to use the old cookie, which will expire sooner than you want.
More details and discussion here.
In my webappalication, i would show a popin if the session was inactive during 30 minutes.
Have you any idea about how to do that with SpringMVC?
Thank you
I would do this as follows:
Configure your container to expire sessions after 30mins
When a user makes an initial request and a new session is created store a cookie which contains the session id.
On subsequent requests check the session id on the request against the session id stored in the cookie, if they're different the user's previous session has expired and you should show a pop-up.
One more thing to note, ensure that you set the max age of the cookie to be negative. This ensures that the cookie is deleted when the browser is closed. If you don't do this, the next time the user opens their browser and goes to your site they will see the pop-up.