Add `expires_at` in `fastn_session` table

fastn-stack / fastn

🚧 (Alpha stage software) fastn - better way to build websites 🚧

https://fastn.com

GNU Affero General Public License v3.0

465 stars 36 forks source link

Add `expires_at` in `fastn_session` table #1915

Closed Arpita-Jaiswal closed 3 months ago

Arpita-Jaiswal commented 3 months ago

This pull request includes the addition of expires_at column to the fastn_session table to store the expiration time of sessions.

For existing databases, the following migration script should be run to add the new expires_at column:

ALTER TABLE session
ADD COLUMN expires_at INTEGER;

amitu commented 3 months ago

Let's not do this. If we do this the value of expires_at must be correct, and in most cases we want to extend a session based on last activity, so we will have to update this column on every http request. This helps us in no way, cookie expiry can be extended on every http request without db call.

amitu commented 3 months ago

On second thought, this can be considered security issue, if we do not keep track of expiry on server side, we will not be able to know if an old session has been stolen. Session expiry is implemented to prevent against stolen sessions to be indefinitely accessible. It's kind of a weak security as the attacker can keep sending any http request and we will keep extending the session expiry.

Other option is to do what Gmail/Google does, every 2 weeks you get logged out, and you have to re-login. Expires_at can be used for that.