What is the best way to clean datastore expired sessions?

[Miguel Pagan Murphy]

Hi, 

I have an app in app engine standard that records session data to memcache. After seeing that it was persisted in the datastorage for some reason (I´m not fully understanding why), I´ve been researching how to clean up the expired session entries from datastore and have read that the best way to do it is with a cron. However, all the implementations I´ve seen are unofficial. How would be the right/correct way to do it? I haven´t been able to find it in the docs. 

On the other side, I´m looking to invalidate a user's session created in memcaché and cannot find the right way to do it. Does anyone have any pointers in this direction? Is there any way to do it with some of the user´s details? (Search by a certain field stored in user session, etc.). 

Thanks.

Miguel Pagán Murphy. 

[George (Cloud Platform Support)]

Hello Miguel, 

To clean data in both Memcache and Datastore, you should use the corresponding key. In case of the Memcache, to remove a value from the cache (to evict it immediately), call the remove() method with the key as its argument. To remove every value from the cache for the application, call the clear() method. Related detail may be read on the "Using Memcache" page. In Memcache, you may write your data limiting its persistence: the app can provide an expiration time when a value is stored, as either a number of seconds relative to when the value is added, or as an absolute Unix epoch time in the future. This is documented on the "Memcache Overview" page. 

Similarly, in case of Datastore, when an entity is no longer needed, you can remove it from Cloud Datastore with the key's delete() method, a statement similar to sandy.key.delete(). The "Creating, Retrieving, Updating, and Deleting Entities" page might offer more insight. In both cases, your code should keep track of the keys, to be able to perform the delete operation. You may use App Engine Cron Service to perform these operations at appropriate times, in accordance with your app's needs.  

How did you ascertain that Memcache data was persisted to Datastore? When did you first notice it? 

[Miguel Pagan Murphy]

Hi George,

Basically it's because of the "_ah_SESSION" token. This token is created whenever an app engine standard application stores a user's session and contains all the information about the session.

Something that was not easy to find is that when it's created it is then stored both on memcache and on datastore, and never cleaned from datastore, even if its expiration (_expires) period passes. 

We have ended creating a cloud function to delete from datastore all expired entries with a cron, but that has reached a whole new level of issues with security (which I will leave for another post).

One last thing, is, as feedback, it´s a bit "sneaky" to store data from the users in datastore without providing a free way to clean it afterwards. I mean, just to clean up the expired entries we are gonna have to pay for:

- Reading from the datastore.

- Deleting from the datastore.

- Cloud function periodically activated.

For something that is neither our wish nor our desire to have, ;).

On the other hand, if we didn't pay for it, I already have more than 500 MB of expired session entries on datastore, meaning that I'd still have to pay to store something I have no wish or use to store, without any notification of it.

The reference by which i found out was a few articles similar to this: http://www.zoftino.com/google-app-engine-session-data-cleanup. 

Once you start to look in depth, it's all over the place, but if your not aware, it's hard to find it referenced in the docs.

Anyway, thanks for your assistance.

Miguel Pagán Murphy

[Yasser Karout (Cloud Platform Support)]

Hello,

I found this java servlet that could potentially help you clear the  "_ah_SESSION" tokens. It is discussed on this Issue Tracker link. You can also find more information about why the property is needed in this Issue Tracker link (see comments #8 and #9).