This custom SessionStore backend was introduced almost a decade ago to address an issue with the upstream store not respecting the file expiration. As discussed in the associated issue and indicated in the original commit message, this store was expected to be a temporary workaround and removed eventually in favor of the Django built-in file backend.
Summary
This PR includes the following changes:
deprecate the omeroweb.filesessionsstore.SessionStore class
update DEFAULT_SESSION_ENGINE to use django.contrib.sessions.backends.file
update the omero.web.session_engine property documentation to list all supported engines and mark omeroweb.filesessionstore as deprecated
remove all the business logic of omeroweb.filesessionsstore.SessionStore and make it extend django.contrib.sessions.backends.file.SessionStore.
746caace22a1074743f54f3bb9b7b25b96f9d175 is arguably the biggest change in the initial proposal and could be reverted if we decided to keep the existing logic. Note in that case, the implementation would likely need to be reconciled with the upstream changes as part of the Django 4.2 upgrade effort (#480).
Impact
The impact of this change on existing OMERO.web deployments should be minimal as:
deployments using Redis as their session backend should be unaffected
deployments using the default session backend should switch to django.contrib.sessions.backends.file
only deployments with omero.web.session_engine explicitly set to omeroweb.filesessionstore will need to be reviewed
Testing
test OMERO.web both with omero.web.session_engine set to omeroweb.filesessionstore or unset
check the application start
check that a connection can be established with the server
check that a new OMERO.web connection creates a file in the local session store (/tmp/sessionid* on standard Linux distributions)
for both configurations above, the session should respect the expiration time:
set omero.web.session_cookie_age to 30
start OMERO.web and create a connection
check that a session has been created under /tmp
let the session expire after 30s of inactivity
refresh the browser and check that it redirects to the login page, check that the session is still present on disk
run omero web clearsessions and check that the session file has been deleted
Fixes #472
This custom
SessionStorebackend was introduced almost a decade ago to address an issue with the upstream store not respecting the file expiration. As discussed in the associated issue and indicated in the original commit message, this store was expected to be a temporary workaround and removed eventually in favor of the Django built-in file backend.Summary
This PR includes the following changes:
omeroweb.filesessionsstore.SessionStoreclassDEFAULT_SESSION_ENGINEto usedjango.contrib.sessions.backends.fileomero.web.session_engineproperty documentation to list all supported engines and markomeroweb.filesessionstoreas deprecatedomeroweb.filesessionsstore.SessionStoreand make it extenddjango.contrib.sessions.backends.file.SessionStore.746caace22a1074743f54f3bb9b7b25b96f9d175 is arguably the biggest change in the initial proposal and could be reverted if we decided to keep the existing logic. Note in that case, the implementation would likely need to be reconciled with the upstream changes as part of the Django 4.2 upgrade effort (#480).
Impact
The impact of this change on existing OMERO.web deployments should be minimal as:
django.contrib.sessions.backends.fileomero.web.session_engineexplicitly set toomeroweb.filesessionstorewill need to be reviewedTesting
omero.web.session_engineset toomeroweb.filesessionstoreor unset/tmp/sessionid*on standard Linux distributions)omero.web.session_cookie_ageto30/tmpomero web clearsessionsand check that the session file has been deleted