Open zwhitchcox opened 6 years ago
This package makes each session with an encrypted ID and stores the ID into the cookie. That is, each session is related not to the user, but to the cookie.
So, with your example,
tom
.zeke
.
tom
.This package hides the ID of sessions and users cannot access them. So you need not to worry about conflicts or old sessions.
But ok, Malicious User C creates a bot net to create thousands common usernames across tons of different browsers. Then he changes all the usernames to something random, but he keeps the session cookie. Then he waits until people create those usernames for themselves. Now, he has a cookie associated with their username, and he can access their account.
But ok, say I just associate the session with user_id
instead of username (which I have done). Say UserD suspects someone else has gotten his password, and wants to log out of his account across every session. How would I accomplish that?
So, my solution is to add another value to the session, date_signed_in
, and check the last time the user signed everyone else out from the account. if the date_signed_in
is after, then delete the session. This is obviously a workaround and inefficient though, and it would be preferable to just be able to delete all sessions a user has.
Hmm, but your solution cannot permit UserA to use multiple devices at one time. That is, if UserA is using iPhone & Macbook and accessing the same website, the latter logged-in session is only available. That is annoying.
I suggest you should prepare UserID (random string or integer) to distinguish each user and should not use username for it. Then users can have the same name at one time.
So, let's say I create a session and save the username to the session, which I then use throughout my api. Any user can have multiple sessions. Then, let's say they change their username. Now, if someone changes their username to the username they previously had, as the usernames are the primary key, they now have access to the new user with that username. So:
tom
tom
is saved to sessiontom
changes username tozeke
tom
zeke
now has access totom
's account information, because he has a session with theusername
value set totom
.So, I guess I can just make a
SERIAL
key as the session id, but that still leaves the problem of any session data saved will be stale if it changes, like username. So, is there any way to get all session with theid
value set to1234
example, or do I just need to retrieve all data from the database, just in case it has changed, even if it doesn't change very often?