Is it possible to specify session id to delete a session?

[kingluo]

Sometimes the session is not determined from cookie of the current request, and it's necessary to delete a session by specifing the session id, e.g. in SAML protocol, when receiving the logout request from IdP, it need to delete the session which does not belongs to current cookie.

[bungle]

It is possible to delete sessions that use storage other than cookie. Currently we have no way to maintain a revocation list for sessions that are stored on cookie storage. You can implement is, but it is not provided by the library currently. With server side storages session is gone if you delete the data from server side session storage.

[kingluo]

@bungle According to my test, the following codes work:

local session = require "resty.session".new({
  storage = "shm"
})
local session_id = session.encoder.encode(id)
session.storage:destroy(session_id)

But such codes are tight coupling with internal implementation. Do you think it's ok to encapsulate such codes into high level API?

[GYWang1983]

I need this api too. Because of the administrator wants to LOCK and LOGOUT some other users.

[bungle]

@GYWang1983, @kingluo,

I am currently working on 4.0 version of the library. It will come with a lot of stuff. I hope to release it within couple of weeks. I will consider adding some of this admin stuff there, but most likely will happen on the 4.1.0.

The code is currently in here: https://github.com/bungle/lua-resty-session/tree/release/4.0.0

[bungle]

@GYWang1983, upgrade to 4.0 and enable store_metadata. Here is quick script for redis storage that I got from co-worker:

echo -n "[YOUR_USER]" | base64 | sed 's/..$//' | xargs -L1 -I '$' redis-cli -a [PWD] --scan --pattern "sessions:*$" | xargs -L1 -I '$' redis-cli -a [PWD] zrange "$" 0 -1 | xargs -I '$' echo 'sessions:session:$' | xargs redis-cli -a [PWD] DEL