Are expired sessions enforced?

[nvx]

From a quick look at the code it wasn't clear if session expiration is enforced on the server side or if it entirely relies on the client cookie expiration.

This can pose issues when an expired cookie is still recoverable on disk when using persistent sessions (through either disk forensics, or because the browser has not been started since the cookie expired).

I imagine this would affect the stateless cookie backend more so than others.

[bungle]

1. we have cookie store
2. we have server stores

in 1 everything is stored on client but we count hmac that also contains expiration time, and we encrypt with secret only known to server. Expiration time is enforced and that is not easily faked - you need to leak server secret and some other things. If decryption or hmac checking fails we discard the cookie.

On server side stores we expire them on server as well.

Does this answer your question?

[nvx]

Ah yup, right you are!

I was blind when I was first looking for it last night. Found the spot I was looking for just then: https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session.lua#L243

Cheers!

[bungle]

Yes, and hmac is checked a few lines after. I consider this answered, and will close this. Please reopen if you have any further questions or doubts. Thank you for asking, I will make some more docs about it.