resetSession() behaviour
27 views
Skip to first unread message
Mohammad Bhuyan
Nov 20, 2012, 7:03:25 AM11/20/12
to xitrum-f...@googlegroups.com
Normally, as long as I am not setting anything to session, Xitrum is not pushing any session cookie. Nice and clean.
Except I have noticed that doing a resetSesstion(..) (even if nothing being set to session) causes Xitrum to push a session cookie.
Is it necessary? I know I can programatically ensure not to do a resetSession without the need, but, this coupling should not be there in the first place.
Just my 2 cent.
Regards,
Mohammad
Except I have noticed that doing a resetSesstion(..) (even if nothing being set to session) causes Xitrum to push a session cookie.
Is it necessary? I know I can programatically ensure not to do a resetSession without the need, but, this coupling should not be there in the first place.
Just my 2 cent.
Regards,
Mohammad
Ngoc Dao
Nov 20, 2012, 9:06:44 AM11/20/12
to Xitrum web framework
I think in practice resetSesstion() is always followed by putting
something to the session. It means that resetSesstion() is a way to
make sure that the session is in the clean state before putting new
things:
http://guides.rubyonrails.org/security.html#session-fixation-countermeasures
But your suggestion is still very wise, I will add it to the TODO
list, thanks.
something to the session. It means that resetSesstion() is a way to
make sure that the session is in the clean state before putting new
things:
http://guides.rubyonrails.org/security.html#session-fixation-countermeasures
But your suggestion is still very wise, I will add it to the TODO
list, thanks.
Ngoc Dao
Nov 20, 2012, 9:11:20 AM11/20/12
to Xitrum web framework
I think "always followed..." in my previous post is not correct. At
"logout", usually nothing more will be put in the session.
"logout", usually nothing more will be put in the session.
Ngoc Dao
Nov 20, 2012, 11:32:00 AM11/20/12
to Xitrum web framework
Mohammad Bhuyan, I've pushed this commit based on your suggestion:
https://github.com/ngocdaothanh/xitrum/commit/0b42eaf921e20a834b12ee261760dbdb423a9a7e
When storing session (when sending back response to browser):
If session is empty:
- If browser did not send session cookie: do nothing, do not send back
useless cookie
- If browser did send session cookie: set max age to 0 to make browser
delete session cookie immediately
Also, for simplicity, resetSession() has been changed to
session.clear().
To try this version, in your project's build.sbt file:
libraryDependencies += "tv.cntt" %% "xitrum" % "1.9.11-SNAPSHOT"
https://github.com/ngocdaothanh/xitrum/commit/0b42eaf921e20a834b12ee261760dbdb423a9a7e
When storing session (when sending back response to browser):
If session is empty:
- If browser did not send session cookie: do nothing, do not send back
useless cookie
- If browser did send session cookie: set max age to 0 to make browser
delete session cookie immediately
Also, for simplicity, resetSession() has been changed to
session.clear().
To try this version, in your project's build.sbt file:
libraryDependencies += "tv.cntt" %% "xitrum" % "1.9.11-SNAPSHOT"
Ngoc Dao
Nov 20, 2012, 11:39:25 AM11/20/12
to Xitrum web framework
> To try this version, in your project's build.sbt file:
> libraryDependencies += "tv.cntt" %% "xitrum" % "1.9.11-SNAPSHOT"
Ah, to use the SNAPSHOT version, please add this line to your
> libraryDependencies += "tv.cntt" %% "xitrum" % "1.9.11-SNAPSHOT"
build.sbt:
resolvers += "SonatypeSnapshots" at "http://oss.sonatype.org/content/
repositories/snapshots/"
Mohammad Bhuyan
Nov 20, 2012, 4:18:52 PM11/20/12
to xitrum-f...@googlegroups.com
Also, for simplicity, resetSession() has been changed to
session.clear().
Fantastic Ngoc, this is exactly what I was thinking later. A "logout" situation would need to clear the session.
I appreciate your fast response time.
I appreciate your fast response time.
Ngoc Dao
Nov 20, 2012, 5:58:30 PM11/20/12
to Xitrum web framework
But in practice, at "logout" you usually set flash "You have logged
out" and redirect to an index page. Flash is implemented with session,
so the session cookie will be send anyway.
out" and redirect to an index page. Flash is implemented with session,
so the session cookie will be send anyway.
Reply all
Reply to author
Forward
0 new messages