Chunked cookies are not expired when session shrinks, leaving unwanted data on client

[alexdowad]

Here is the problem scenario:

1. On one HTTP request, the application sets large session data, calls session:save(), and the session data is sent out as a chunked cookie. (Perhaps with cookie names like session, session_2, session_3, and so on.)
2. On a subsequent request, the application modifies the session data so it is now small, and again calls session:save().
3. This time, only a single cookie is set, with name session.
4. The new session cookie overrides the old one, but it does not do anything about the previously set session_2, session_3, session_4, and so on. These remain on the client and are uselessly sent to the server with every HTTP request.

Essentially, this means that if session data is kept in cookies, it can only shrink to floor(max_previously_set_size / 4000) * 4000. Once the session size surpasses any multiple of 4000 bytes, it can never shrink smaller than that multiple.

Any comments on this? If it is something which can and should be fixed in lua-resty-session, I am happy to develop the fix, but I'm trying to think of what it should be.

When the session is read, session.chunks is set to the number of chunks... perhaps that could be used to automatically expire chunks which are no longer needed? I guess that would have to be done at https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session.lua#L236.

[alexdowad]

I think I can see now how to fix this... but it is up to the maintainers whether you would like to accept a PR with a fix or not.

[bungle]

@alexdowad, PR welcomed. I can check if there is an easy way. Thanks for reporting.

[bungle]

@alexdowad, yes, it looks like it is rather easy to fix. And yes, that feels like a correct place too. As I am preparing for a new release, I will fix this too.

[alexdowad]

@bungle Thank you very much!