Closed jeremija closed 3 years ago
I think this feature were really usefull. I don‘t see any session library which implement this.
I actually had to do something similar for a project a few months ago to revoke sessions for a specific user, and used a similar hack to the one that you suggest. Basically, I used a Codec
implementation that marshaled the data to JSON, used the regular Postgres store without changing it, and then just queried the database directly to identify the sessions for a user.
If you're using Postgres, you could potentially write your own store implementation to use a JSON column in the database, which can then be indexed for fast direct querying.
Thanks for your response! That's basically something similar to what I ended up doing. I kept the bytea
type in the database, though. The only thing that seemed kind of hacky was that I had to call codec.Decode()
in store.Commit()
(which gets called immediately after codec.Encode()
is made in this library), but it works!
As for supporting this functionality out-of-the-box, it's important to remember that sessions aren't just used for authentication and storing user information.
This is a general HTTP session management package, rather than an specific authentication package and user_id
is just one arbitrary parameter that someone might want to store in a session.
So really, what we are talking about would require making the library support retrieval of sessions data from the database based on arbitrary parameters. I'll have a think about whether this is possible (or even sensible!), but my gut instinct in that it probably falls out of scope. Perhaps it would be possible to make it easier for people to achieve on their own somehow, though.
@jeremija I'm pleased that you got a work-around running!
After thinking about this further, my view hasn't really changed from the message above:
This is a general HTTP session management package, rather than an specific authentication package and user_id is just one arbitrary parameter that someone might want to store in a session.
So really, what we are talking about would require making the library support retrieval of sessions data from the database based on arbitrary parameters. I'll have a think about whether this is possible (or even sensible!), but my gut instinct in that it probably falls out of scope. Perhaps it would be possible to make it easier for people to achieve on their own somehow, though.
I think we could potentially make it easier by allowing you to iterate over all active sessions easily though, and that is probably something worth doing. There's an open issue https://github.com/alexedwards/scs/issues/92 for session enumeration already, so on that basis I'm going to close this one down.
Thanks for this easy-to-use library!
What is the best way to select all sessions belonging to a specific user? I would like to provide a user with an interface to see and manage (log out of) any existing sessions.
At first I thought I'd implement my own
Store
and add auser_id int references "user"(id)
column to thesessions
table, but then the data passed toStore#Commit
is already serialized so I would not be able to read theuserID
from the map.Then I thought I'd add an extra step in my
SetUserIDToSession
andRemoveUserIDFromSession
methods to associate a theuser_id
with a token in a separate table like:But I'm having a hard time implementing this because I do not see a way to get the current session token. I could read the cookie value, but what if the token was changed because the
RenewToken
method had been called beforehand?Also, if the token had been renewed, the insert to
session_user
would fail because thetoken
reference would not be in thesessions
table yet (since the session is committed after the request handler).The only hack I see at this point is to:
1) Use a local implementation of
Codec
becausegobCodec
is private. 2) Create a custom sessionStore
. 3) CallCodec.Decode
in my implementation ofStore.Commit
. 4) Read the user_id value from the map and use it to setsessions.user_id
field in the db.