Session timeouts?

66 views
Skip to first unread message

Timothy Washington

unread,
Dec 20, 2011, 11:02:35 PM12/20/11
to sandbar...@googlegroups.com
Hi all, quick Q.

Using Ring / Compojure, is there a way to block a user if their session has timed out (or is otherwise invalid)? I think I need Sandbar's Stateful sessions to get this, as Ring doesn't provide that. 

The reason I'm asking, is because I'm using the new "Account Chooser" to do authentication. What I'm really interested in is, when a successful login occurs (from an external source), Ring or Sandbar's Session is kicked off. Otherwise, not. And again, I want to see if a session has timed out. Looking at Sandbar Session's functions here, I can't see where to ask if a session is alive. 

user=> (require 'sandbar.stateful-session)
user=> (ns-publics 'sandbar.stateful-session)
 session-delete-key!
 session-put!
 update-session!
 wrap-stateful-session*
 flash-put!
 session-pop!
 flash-get
 destroy-session!
 sandbar-flash
 sandbar-session
 wrap-stateful-session
 session-get


Webnoir doesn't seem to have the concept either... Hmm.


Thanks
Tim

Takahiro

unread,
Dec 21, 2011, 4:03:18 AM12/21/11
to sandbar...@googlegroups.com
Hi,

session-expirely middleware removes a session after specified time
from last access, but I don't know this is helpful for your purpose.
https://github.com/hozumi/session-expiry


2011/12/21 Timothy Washington <twas...@gmail.com>:

Timothy Washington

unread,
Dec 21, 2011, 2:11:19 PM12/21/11
to sandbar...@googlegroups.com
This looks interesting. 

So when a session times out, does a nil or empty map get returned from the request (or response)? And I assume this can be used in Sandbar's notion of stateful sessions (since it just uses Ring under the hood). 

One thing I'm trying to wrap my head around, is when Ring ( thus Compojure or Sandbar ) creates a session. Basically, with low-level ring, it looks like we are just wrapping an already existing HTTP session (see code here). Thanks for the feedback. 


Tim 

Takahiro

unread,
Dec 21, 2011, 6:27:13 PM12/21/11
to sandbar...@googlegroups.com
> So when a session times out, does a nil or empty map get returned from the> request (or response)?
Yes, empty map get returned from the request-map.
(:session req) ;=> {}

> And I assume this can be used in Sandbar's notion of
> stateful sessions (since it just uses Ring under the hood).

You can combine any number of middleware.
(def app
(-> #'handler
(wrap-session-expiry 3600)
sandbar.stateful-session/wrap-stateful-session
ring.middleware.cookies/wrap-cookies))

> One thing I'm trying to wrap my head around, is when Ring ( thus Compojure
> or Sandbar ) creates a session.

I didn't understand it until you asked.
If request have no ring-session in cookie and response-map have
:session(not nil), then Set-Cookie: ring-session=... seems to be
emitted.
It also depends on an implementation of write-session of SessionStore
protocol, because Set-Cookie is emitted everytime when write-session
returns a new key.
MemoryStore(default) returns a new key only when request have no
ring-session key in cookie.

ref
https://github.com/mmcgrana/ring/blob/master/ring-core/src/ring/middleware/session/store.clj
https://github.com/mmcgrana/ring/blob/master/ring-core/src/ring/middleware/session/memory.clj#L11
https://github.com/mmcgrana/ring/blob/master/ring-core/src/ring/middleware/cookies.clj#L118

Thanks.

2011/12/22 Timothy Washington <twas...@gmail.com>:

Timothy Washington

unread,
Dec 23, 2011, 8:10:09 AM12/23/11
to sandbar...@googlegroups.com
I had to think about and dig into the code to understand it. And I'm still a bit fuzzy, so I'll try it out. Thanks for the feedback. 

Tim 
Reply all
Reply to author
Forward
0 new messages