fukamachi / lack

Lack, the core of Clack
MIT License
155 stars 33 forks source link

Is there GC for sessions? #66

Open jetmonk opened 2 years ago

jetmonk commented 2 years ago

It seems to me that session cookies expire (last few lines of src/middleware/session/state/cookies.lisp) but I can't find any garbage collection for cookies inside the stores.

Unless I'm missing something - which is very possible - then sessions will accumulate unless the session is removed with a logout.

To allow GC, it seems that session needs a last active time, and a gc process that is run at intervals to clean stale cookies.

In theory, the lack of session GC seems like the basis for a (rather weak) DOS attack: an attacker could create sessions that hang around until memory is used up.

Hunchentoot has a SESSION-GC function to avoid this issue.