bungle / lua-resty-session

Session library for OpenResty – flexible and secure
BSD 2-Clause "Simplified" License
320 stars 111 forks source link

Question about `rolling_timeout` #166

Closed alohec closed 1 year ago

alohec commented 1 year ago

The description of the rolling_timeout param contains the following:

Rolling timeout specifies how long the session can be used until it needs to be renewed,

What exactly is meant by "renewed" in this context? Does it simply mean that session:refresh is called?

bungle commented 1 year ago

For example, if you have rolling_timeout set to 3600 seconds (1 hour). The cookie will function for 1 hour. Session:refresh takes care of either calling touch (manipulates just cookie, not the possible server side data or its expiry) or save (creates new row in db and sends s new cookie and expires the old one within 10 secs by default). Calling session.start will also take care of it. And any call to save will also set a new cookie with another rolling_timeout of expiry.

So yes, you got it basically right.

bungle commented 1 year ago

Rolling can limited with absolute_timeout. And time between requests can be limited with idling_timeout (the touching affects only the idling time).

bungle commented 1 year ago

session.start = open + refresh session:refresh = touch or save touch = just updates cookies idling offset save = creates new session with fresh timeouts (the original creation time is carried over if there was already existing session), and possible existing session is set to expire and new cookie will be set.

bungle commented 1 year ago

@alohec, let me know if you have further questions.