Closed Arpita-Jaiswal closed 3 months ago
Let's not do this. If we do this the value of expires_at must be correct, and in most cases we want to extend a session based on last activity, so we will have to update this column on every http request. This helps us in no way, cookie expiry can be extended on every http request without db call.
On second thought, this can be considered security issue, if we do not keep track of expiry on server side, we will not be able to know if an old session has been stolen. Session expiry is implemented to prevent against stolen sessions to be indefinitely accessible. It's kind of a weak security as the attacker can keep sending any http request and we will keep extending the session expiry.
Other option is to do what Gmail/Google does, every 2 weeks you get logged out, and you have to re-login. Expires_at can be used for that.
This pull request includes the addition of
expires_at
column to thefastn_session
table to store the expiration time of sessions.For existing databases, the following migration script should be run to add the new
expires_at
column: