Closed agrafix closed 8 years ago
Just found that too - IMO it would suffice to change in Web.Spock.Internal.SessionManager the sessionMiddleware
to just set the cookie header uncoditionally (or conditionally on the sc_sessionExpandTTL
). BTW: is there any use case for having sc_sessionExpandTTL
set to False
?
Just found out this solution wouldn't probably play out well with regenerateSesssionId
... It seems to me that multiple setCookie
on the same cookie will result in multiple Set-Cookie headers being sent. Maybe some mechanism to send only the last cookie name would make sense?
sc_sessionExpandTTL = False
is useful in cases where you want a fixed session length. I needed this for a project of mine.
I'm still trying to figure out the best way to handle this, hence the issue... The biggest issue for me are the possible race conditions so I'd really like to write some tests first showing the issue and cornercases and then implement a solution. I'd also like to take a peek at other web frameworks how they handle this. I'm on vacation for a week, but if you come up with a good solution including tests I'll happily merge your PR :+1:
What about setting the session cookie life time to infinity (i.e. 'long time' - or 'until the user closes the browser) and forget about the problem? The session lifetime management is done on the server anyway and upon login the regenerateSessionId
should be used anyway (maybe this should be stressed in the documentation). This could be configurable in the SessionCfg
. Are there any drawbacks?
That was what I was thinking about too... Maybe also implement that if the framework stumbles app-on an invalid cookie it will delete it. Would you like to go for that?
I would like to see a fix for this as well. ondrap's solution seems okay to me.
@elfeck Yap! Would you like to create a PR?
@agrafix Although I have little experience the inner workings of Spock and real-world haskell, I will at least look into it.
It should be pretty straight forward, you probably only have to touch these lines: https://github.com/agrafix/Spock/blob/305c29cd3250f33bce0597310e45f7696820b367/Spock/src/Web/Spock/Internal/SessionManager.hs#L186-L196 .
The cookies expiration date should be modified, too