-
-
Notifications
You must be signed in to change notification settings - Fork 978
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Destroying all sessions for a given user? #865
Comments
@kleydon I implemented this in the past by changing the genid function. The idea is to generate a random id that we can find later i.e The trick here is to overwrite the user session id once they log in. |
@revington - thanks for this! |
The solution provided by revington is definitely a good one, it will do what you expect. Therefore, my suggestion is to leave the requested functionality out of session management but persist this information in the database. Upon login, the user session ID should be stored into the database together with all the metadata you want. You might think "But then you are storing data redundantly as my session ID is already in the database", but I disagree with that. You are merely storing a reference just as you would with other relations between tables. |
@ultimate-tester Thanks; appreciate your insight / experience on this. |
@ultimate-tester I found this thread through a Google search. Can you confirm that I understand your suggested approach correctly:
So I assume it is safe to store express session ids in the database (sorry for the noob question)? |
Hi there, you're completely right in understanding. Session IDs are not a secret so they don't need special treatment, they get sent to the client after all (although signed, but that's to prevent people from "guessing" valid session IDs) |
@ultimate-tester Thank you. Would you additionally check on each request if the sessionId is contained in the user array? I'm a bit afraid of having orphaned sessions because the |
Good question. I currently have a quite naive approach by using user login and logout routes to store and remove the session ID from the database. |
@florianwalther-private @ultimate-tester there is no need to loop nor keep a list of ids. The way I do this: create a genid function that prefix id with user id function genid(req){
const userId = req?.session?.userId || 0;
const randomId = /* random id without "-" char*/
return `${userId}-${randomId}`;
} supply this function to session when you create the session middleware. When a user logs in just copy all session data into some variable and call regenerate this will terminate previous session and create a new one. copy old data back again to session. How do you implement destroy all? just go to redis or any other backend and delete |
@revington Thank you, that seems like a better idea and should avoid orphaned sessions (which I think can be very dangerous). I'll try that out 👍 |
@revington |
@florianwalther-private are you passing your genid function to session function? https:/expressjs/session#genid |
I call this on login:
And this is my session setup:
But I always get |
@revington Nevermind, I got it to work. I misunderstood your "copy the old session data to the new session". I think my line This is my login code now:
If I don't have anything but the userId in the session, I don't need to copy any old session data to the new session, right? |
Right!, If you use passport double check that passport itself is not
creating some data
El sáb., 14 may. 2022 16:19, Florian Walther ***@***.***>
escribió:
… @revington <https:/revington> Nevermind, I got it to work. I
misunderstood your "copy the old session data to the new session". My line req.session
= sessionData; just overwrote the session (and hence the userId was gone
again).
This is my login code now:
const match = await bcrypt.compare(password, user.password);
if (match) {
req.session.userId = user._id;
req.session.regenerate(error => {
if (error) {
res.status(500).json({ error: error });
} else {
res.status(200).json(user);
}
});
} else {
res.sendStatus(401);
}
*If I don't have anything but the userId in the session, I don't need to
copy any old session data to the new session, right?*
—
Reply to this email directly, view it on GitHub
<#865 (comment)>,
or unsubscribe
<https:/notifications/unsubscribe-auth/AAAWOW4EUKCDZAPAHIR7ICDVJ6ZAZANCNFSM5LN4RFGA>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
I'm using |
Ok I got it now. I have to put another
Is this how you have it too? |
Hi,
I'm maintaining the express session store for Prisma (prisma-session-store).
Recently, a developer asked whether there might be a way to destroy all sessions for a given user (as might be desirable when logging out of all devices, changing a password, etc).
While this can be accomplished at the back-end application layer, it requires (I think?) downloading all sessions, and then filtering them, which might not be ideal if there are hundreds or thousands of sessions.
I'm considering adding the ability to destroy all sessions for a given user as a feature specific to the data store that I'm maintaining, but wanted to check in first, to see if something along these lines might be in the cards for the express-session library (and the session store interface it exposes) more generally...
Do you imagine this library would surface this sort of functionality in the future? Or does this seem like the sort of thing that ought to live in each specific session store implementation?
Any advice / recommendations / rationales would be much appreciated.
The text was updated successfully, but these errors were encountered: