bungle / lua-resty-session

Session library for OpenResty – flexible and secure
BSD 2-Clause "Simplified" License
320 stars 111 forks source link

Is it possible to specify session id to delete a session? #147

Open kingluo opened 2 years ago

kingluo commented 2 years ago

Sometimes the session is not determined from cookie of the current request, and it's necessary to delete a session by specifing the session id, e.g. in SAML protocol, when receiving the logout request from IdP, it need to delete the session which does not belongs to current cookie.

bungle commented 2 years ago

It is possible to delete sessions that use storage other than cookie. Currently we have no way to maintain a revocation list for sessions that are stored on cookie storage. You can implement is, but it is not provided by the library currently. With server side storages session is gone if you delete the data from server side session storage.

kingluo commented 2 years ago

@bungle According to my test, the following codes work:

local session = require "resty.session".new({
  storage = "shm"
})
local session_id = session.encoder.encode(id)
session.storage:destroy(session_id)

But such codes are tight coupling with internal implementation. Do you think it's ok to encapsulate such codes into high level API?

GYWang1983 commented 1 year ago

I need this api too. Because of the administrator wants to LOCK and LOGOUT some other users.

bungle commented 1 year ago

@GYWang1983, @kingluo,

I am currently working on 4.0 version of the library. It will come with a lot of stuff. I hope to release it within couple of weeks. I will consider adding some of this admin stuff there, but most likely will happen on the 4.1.0.

The code is currently in here: https://github.com/bungle/lua-resty-session/tree/release/4.0.0

bungle commented 1 year ago

@GYWang1983, upgrade to 4.0 and enable store_metadata. Here is quick script for redis storage that I got from co-worker:

echo -n "[YOUR_USER]" | base64 | sed 's/..$//' | xargs -L1 -I '$' redis-cli -a [PWD] --scan --pattern "sessions:*$" | xargs -L1 -I '$' redis-cli -a [PWD] zrange "$" 0 -1 | xargs -I '$' echo 'sessions:session:$' | xargs redis-cli -a [PWD] DEL