use a lib for server side sessions

ltb-project / self-service-password

Web interface to change and reset password in an LDAP directory

https://self-service-password.readthedocs.io/en/latest/

GNU General Public License v3.0

1.18k stars 327 forks source link

use a lib for server side sessions #954

Closed davidcoutadeur closed 2 months ago

davidcoutadeur commented 4 months ago

The goal is to remove things like:

htdocs/sendtoken.php:    ini_set("session.use_cookies",0);
htdocs/sendtoken.php:    ini_set("session.use_only_cookies",1);

in htdocs/sendtoken.php, htdocs/resetbytoken.php, htdocs/sendsms.php (but not necessarily for lib/captcha/InternalCaptcha.php which needs a session maintained at client side)

For this, we need to find a way to maintain server side sessions. Ideally with multiple possibilities of storage (file, redis,...)

Depending on the complexity, maybe we won't have time for doing this in 1.7.0.

davidcoutadeur commented 4 months ago

davidcoutadeur commented 3 months ago

I have found and implemented a solution based on Symfony cache.

See #967

It's quite extendable. For example, we could define another storage simply: memcached, redis,... Complete list here: https://symfony.com/doc/current/components/cache/cache_pools.html

TODO:

[x] add documentation. At least add an upgrade note for explaining the loss of previous sessions
[x] manage cache expiration for each use case, especially when there is already an expiration defined in the token saved in cache
[x] add some cache parameters in default configuration file
[x] test more deeply the new feature
[x] reference new composer dependency in debian, red-hat packages, and select appropriate version of symfony/cache in composer.json