Closed krasimirkostadinow closed 7 years ago
mark-bradshaw
commented
8 years ago We've just relied on the client to expire the cookies, knowing that session replay was always a possibility. We could encode the expiration in the body of the cookie, since it's encrypted, and do additional checks there. Let me consider that.
mark-bradshaw
commented
8 years ago What if we added a new config option called enforceCookieExpiration that encoded an expiration date in the cookie data, and verified that the cookie was still in force before using it as session data. A down side is that by inflating the cookie data you get less data storage using that mechanism before you have to fall back to server caching. I'm inclined to add it, but leave it off by default.
mark-bradshaw
commented
8 years ago Going to leave this open for PRs.
hueniverse
commented
7 years ago This is not a security module, but just an easy way to keep temporary state. If you need more advance features, this module is probably too limited.
lock[bot]
commented
4 years ago This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
Hello,
I'm facing issue related to the session time out. When a request with cookie which is already expired is sent, the server responds well and it seems there is no server-side check if the cookie is expired. I know the browsers check the expiration date and the max age parameter and if the cookie is not valid, it will not be added to the headers, but it is strange to me the server has no validation on that.