It seems to me that session cookies expire (last few lines of src/middleware/session/state/cookies.lisp) but I can't find any garbage collection for cookies inside the stores.
Unless I'm missing something - which is very possible - then sessions will accumulate unless the session is removed with a logout.
To allow GC, it seems that session needs a last active time, and a gc process that is run at intervals to clean stale cookies.
In theory, the lack of session GC seems like the basis for a (rather weak) DOS attack: an attacker could create sessions that hang around until memory is used up.
Hunchentoot has a SESSION-GC function to avoid this issue.
It seems to me that session cookies expire (last few lines of src/middleware/session/state/cookies.lisp) but I can't find any garbage collection for cookies inside the stores.
Unless I'm missing something - which is very possible - then sessions will accumulate unless the session is removed with a logout.
To allow GC, it seems that session needs a last active time, and a gc process that is run at intervals to clean stale cookies.
In theory, the lack of session GC seems like the basis for a (rather weak) DOS attack: an attacker could create sessions that hang around until memory is used up.
Hunchentoot has a SESSION-GC function to avoid this issue.