Different behavior between wrap-session and wrap-stateful-session
45 views
Skip to first unread message
Takahiro Hozumi
Nov 11, 2010, 1:25:50 PM11/11/10
to Sandbar Library
Hi,
I'm using stateful-session and I have a problem about different
behavior between ring.middleware.session and stateful-session.
The ring.middleware.session/wrap-session calls SessionStore protocol
as follows.
- The write-session method is called when {:session value} is included
into the response map.
- No method is called when the response map doesn't have :session key.
sandbar.stateful-session is behaved as follows.
- The write-session method is always called even if you don't modify
session.
This diffirence can be problem if you make middleware which manipulate
session only when it is updated.
I am implementing session-store which can change session id everytime
when session is updated. This behavior prevent session fixation
attack.
I want sandbar not to include :session key into the response map when
there is no update.
Thanks.
--
Takahiro Hozumi
I'm using stateful-session and I have a problem about different
behavior between ring.middleware.session and stateful-session.
The ring.middleware.session/wrap-session calls SessionStore protocol
as follows.
- The write-session method is called when {:session value} is included
into the response map.
- No method is called when the response map doesn't have :session key.
sandbar.stateful-session is behaved as follows.
- The write-session method is always called even if you don't modify
session.
This diffirence can be problem if you make middleware which manipulate
session only when it is updated.
I am implementing session-store which can change session id everytime
when session is updated. This behavior prevent session fixation
attack.
I want sandbar not to include :session key into the response map when
there is no update.
Thanks.
--
Takahiro Hozumi
Brenton
Nov 11, 2010, 11:35:02 PM11/11/10
to Sandbar Library
You are correct, if the session has not changed then there is no
reason to add it to the response. I will make this change tomorrow or
over the weekend.
Thanks for reporting this.
Brenton
reason to add it to the response. I will make this change tomorrow or
over the weekend.
Thanks for reporting this.
Brenton
Brenton
Nov 12, 2010, 5:27:51 PM11/12/10
to Sandbar Library
Takahiro,
I have made this change. It has been pushed to Clojars as sandbar
"0.3.0-SNAPSHOT". I have improved the implementation of stateful-
session so that hopefully it is bit clearer. Unfortunately, it is a
complex problem to figure out how to correctly merge data that comes
in under the :session key of a response and from the stateful session
atom. To hopefully make this more clear, I have created a table which
shows what Sandbar does in each situation. It is located under the
"Implementation" heading here:
https://github.com/brentonashworth/sandbar/wiki/Stateful-Sessions
As you can see in the table, if the request does not contain
a :session key (Ring session is :empty) and nothing has changed in the
Sandbar session (Sandbar session will also be :empty) then
the :session key will not be included in the response.
Let me know if this is indeed the fix that you were looking for or if
you have any better ideas about how to deal with this problem.
I have made this change. It has been pushed to Clojars as sandbar
"0.3.0-SNAPSHOT". I have improved the implementation of stateful-
session so that hopefully it is bit clearer. Unfortunately, it is a
complex problem to figure out how to correctly merge data that comes
in under the :session key of a response and from the stateful session
atom. To hopefully make this more clear, I have created a table which
shows what Sandbar does in each situation. It is located under the
"Implementation" heading here:
https://github.com/brentonashworth/sandbar/wiki/Stateful-Sessions
As you can see in the table, if the request does not contain
a :session key (Ring session is :empty) and nothing has changed in the
Sandbar session (Sandbar session will also be :empty) then
the :session key will not be included in the response.
Let me know if this is indeed the fix that you were looking for or if
you have any better ideas about how to deal with this problem.
Takahiro Hozumi
Nov 12, 2010, 11:28:46 PM11/12/10
to Sandbar Library
I have confirmed it works well
Thank you for reply and the document!
Thank you for reply and the document!
Reply all
Reply to author
Forward
0 new messages