search

ring-clojure / ring-defaults

A library to provide sensible Ring middleware defaults
MIT License
345 stars 32 forks source link

site-defaults leaks memory by default #34

Closed miikka closed 1 year ago

miikka commented 4 years ago

site-defaults enables both the session middleware and ring-anti-forgery. The session middleware leaks sessions by default and ring-anti-forgery uses sessions to store the anti-CSRF-tokens it creates. Thus, even if you don't use sessions yourself, ring-anti-forgery creates a session for every user and these sessions are never removed.

I'm not sure if there's a backwards-compatible way to fix it, or if it needs to be fixed in the first place, but I think it would be a good idea to at least document this.

weavejester commented 4 years ago

I believe the intent was for people to add in their own session store, but it might be reasonable to default to cookie stores. They're not perfect, but better than in-memory sessions in most ways.

antonmos commented 3 years ago

+1 for making the default safer. Most servers come with an expiring session in-memory store by default so this is not something that people will expect