mavericksy
commented
4 weeks ago Hi @jetmonk Session lifetime constraints would be far too broad of an addition, as many assumptions need to be made, and a very opinionated implementation would not fit anybody's needs. Those decisions would need to be taken by the user of the system when choosing to use the middleware extensions.
It seems to me that session cookies expire (last few lines of src/middleware/session/state/cookies.lisp) but I can't find any garbage collection for cookies inside the stores.
Unless I'm missing something - which is very possible - then sessions will accumulate unless the session is removed with a logout.
To allow GC, it seems that session needs a last active time, and a gc process that is run at intervals to clean stale cookies.
In theory, the lack of session GC seems like the basis for a (rather weak) DOS attack: an attacker could create sessions that hang around until memory is used up.
Hunchentoot has a SESSION-GC function to avoid this issue.