kotofos
commented
3 years ago As I understand from code, the delete() method does not delete sessions but saves them without values. So it is possible to read them back knowing the ID, but there will be no useful data. If the session is expired, it is still stored, but with an expired date. Same for old sessions - they will be stored forever.
Hello,
I was looking at the beaker documentation about session.delete() method. There it says:
"Calling the delete() method deletes the session from the back-end storage and sends an expiration on the cookie requesting the browser to clear it:"
https://beaker.readthedocs.io/en/latest/sessions.html#deleting
However a few lines further we have:
"Removing Expired/Old Sessions
Beaker does not automatically delete expired or old cookies on any of its back-ends. This task is left up to the developer based on how sessions are being used, and on what back-end."
https://beaker.readthedocs.io/en/latest/sessions.html#removing-expired-old-sessions
Looking at the code it indeed seems to no clean-up cookies from any non-transient storage. May I have your help to double check if this is the right behaviour? I mean, on delete()'s documentation it claims it removes the old session/cookies from back-end storage on the other hand "Removing Expired/Old Sessions" states cookies are not deleted from the back-end.