This custom SessionStore backend was introduced almost a decade ago to address an issue with the upstream store not respecting the file expiration. As discussed in the associated issue and indicated in the original commit message, this store was expected to be a temporary workaround and removed eventually in favor of the Django built-in file backend.
Summary
This PR includes the following changes:
deprecate the omeroweb.filesessionsstore.SessionStore class
update DEFAULT_SESSION_ENGINE to use django.contrib.sessions.backends.file
update the omero.web.session_engine property documentation to list all supported engines and mark omeroweb.filesessionstore as deprecated
remove all the business logic of omeroweb.filesessionsstore.SessionStore and make it extend django.contrib.sessions.backends.file.SessionStore.
746caace22a1074743f54f3bb9b7b25b96f9d175 is arguably the biggest change in the initial proposal and could be reverted if we decided to keep the existing logic. Note in that case, the implementation would likely need to be reconciled with the upstream changes as part of the Django 4.2 upgrade effort (#480).
Impact
The impact of this change on existing OMERO.web deployments should be minimal as:
deployments using Redis as their session backend should be unaffected
deployments using the default session backend should switch to django.contrib.sessions.backends.file
only deployments with omero.web.session_engine explicitly set to omeroweb.filesessionstore will need to be reviewed
Testing
test OMERO.web both with omero.web.session_engine set to omeroweb.filesessionstore or unset
check the application start
check that a connection can be established with the server
check that a new OMERO.web connection creates a file in the local session store (/tmp/sessionid* on standard Linux distributions)
for both configurations above, the session should respect the expiration time:
set omero.web.session_cookie_age to 30
start OMERO.web and create a connection
check that a session has been created under /tmp
let the session expire after 30s of inactivity
refresh the browser and check that it redirects to the login page, check that the session is still present on disk
run omero web clearsessions and check that the session file has been deleted
Fixes #472
This custom
SessionStore
backend was introduced almost a decade ago to address an issue with the upstream store not respecting the file expiration. As discussed in the associated issue and indicated in the original commit message, this store was expected to be a temporary workaround and removed eventually in favor of the Django built-in file backend.Summary
This PR includes the following changes:
omeroweb.filesessionsstore.SessionStore
classDEFAULT_SESSION_ENGINE
to usedjango.contrib.sessions.backends.file
omero.web.session_engine
property documentation to list all supported engines and markomeroweb.filesessionstore
as deprecatedomeroweb.filesessionsstore.SessionStore
and make it extenddjango.contrib.sessions.backends.file.SessionStore
.746caace22a1074743f54f3bb9b7b25b96f9d175 is arguably the biggest change in the initial proposal and could be reverted if we decided to keep the existing logic. Note in that case, the implementation would likely need to be reconciled with the upstream changes as part of the Django 4.2 upgrade effort (#480).
Impact
The impact of this change on existing OMERO.web deployments should be minimal as:
django.contrib.sessions.backends.file
omero.web.session_engine
explicitly set toomeroweb.filesessionstore
will need to be reviewedTesting
omero.web.session_engine
set toomeroweb.filesessionstore
or unset/tmp/sessionid*
on standard Linux distributions)omero.web.session_cookie_age
to30
/tmp
omero web clearsessions
and check that the session file has been deleted