search

bungle / lua-resty-session

Session library for OpenResty – flexible and secure
BSD 2-Clause "Simplified" License
320 stars 111 forks source link

Question about session cookie settings #36

Closed dimitrovs closed 7 years ago

dimitrovs commented 7 years ago

Here are the settings I have:

lua_shared_dict sessions 10m; ssl_session_timeout 24h; ssl_session_cache shared:SSL:20m; set $session_cookie_renew 12h; set $session_cookie_lifetime 24h;

I want the session to expire ONLY in one of the following cases: 1) User leaves browser tab open for > 12h with no activity 2) User closes browser tab (so not persistent)

Are my settings correct/optimal for this use case? Thanks.

bungle commented 7 years ago

@dimitrovs,

Lets keep things separated for a moment, and start with session config. One thing we don't support is human readable shortcuts like 12h (pull requests are welcomed), you should always set settings as seconds. 12h = 43200.

To have sessions expire (when no activity) in 12 hours:

set $session_cookie_lifetime 43200;

The renew setting is basically an optimization that prevents sending a new cookie if the cookie is not going to expire soon. By default we renew cookies that are expiring in 10 minutes (600). Think about it like this:

  1. user logins and gets a new session cookie with lifetime of 43200 seconds (12 hours).
  2. user makes requests to site sending the cookie, the server is not sending a new cookie with new expiration time unless it needs to be renewed. And by default we don't renew until there is 10 minutes or less time to cookie expiration. Aka less data from server to client, but a possibility to make request when there is 11 minutes left in lifetime, but that session will still expire in 11 minutes. If requested when 9 minutes of lifetime is left then we will send a new cookie with 12 hours of lifetime.

So, the $session_cookie_lifetimeis the setting you should configure. You can set $session_cookie_renew to the same 43200 (or larger) for session to be renewed whenever user accesses a resource on server that starts (reconnects) session.

To use shared dictionary for session storage, you need to configure the storage as well:

set $session_storage shm;
set $session_shm_store sessions;

Closing a tab and expiring a session is usually not possible, because browsers tend to have non-persistent sessions available until the browser process is closed, and usually closing a tab is not enough and you have to use ALT-F4 or CMD-Q). But the sessions will of course expire when session cookie lifetime is over.

bungle commented 7 years ago

Another thing, the SSL configuration only affects if you have Session Tickets disabled, and have configured (enabled) this: https://github.com/bungle/lua-resty-session#boolean-sessioncheckssi

Read more from here: https://github.com/bungle/lua-resty-session#nginx-configuration-variables

In general, I don't think this is much used anymore, as most of the users use session tickets.

dimitrovs commented 7 years ago

Thank you!