Session token compatibility across upgrades

softwaremill / akka-http-session

Web & mobile client-side akka-http sessions, with optional JWT support

https://softwaremill.com/open-source/

Apache License 2.0

440 stars 58 forks source link

Session token compatibility across upgrades #54

Closed kevinavery closed 6 years ago

kevinavery commented 6 years ago

Session tokens created under v0.5.1 are invalid after upgrading to v0.5.2. This means upgrading the library causes all users to be logged out.

It looks like this was the relevant change: https://github.com/softwaremill/akka-http-session/commit/5ef05778d0ae25f18f57bf3a81bb7ab147e89300

Separately, upgrading from v0.5.2 to v0.5.3 also breaks existing session tokens.

Is there a token migration path for users with old tokens?

adamw commented 6 years ago

That's true, 0.5.2 was a security fix and 0.5.3 fixed rare encoding problems. There isn't currently any migration code

kevinavery commented 6 years ago

I'd be happy to add the migrations. How about we add a config like

akka.http.session {
  ...
  token-migration {
    v0-5-2 {
      enabled = false
    }
    v0-5-3 {
      enabled = false
    }
  }
}

Then we simply allow the old deserialization format if the config is enabled.

There's probably a way to safely accelerate the token turnover in certain cases, but I haven't familiarized myself with the codebase yet and don't want to complicate things.

What do you think?

adamw commented 6 years ago

Sounds good! So if the migration is enabled, an attempt would be made to deserialize using the old format, and if that works, set the token to the new one?

kevinavery commented 6 years ago

When you say "set the token to the new one" do you mean attempt to update the client by sending the new cookie/header back in the response? That's what I had referred to, but am a little concerned about doing essentially a write-session op as a side effect of a read-session. I can certainly look into it, but again, haven't dug into this implementation yet. Hoping to get to it later this week.

adamw commented 6 years ago

Yes, I think the goal is to migrate existing users to the new format?

Get-session sometimes causes a new session to be established - if "remember me" is used.

kevinavery commented 6 years ago

Right, though even without explicitly updating the tokens, they will automatically migrate as they expire and new tokens are created. If we imagine devs will leave the migrations enabled long enough to migrate all existing tokens - the max of the session or refresh token expiry period - then it wouldn't make a practical difference, if I understand correctly.

Nonetheless I agree it would be nice to accelerate the turnover. Since the "remember me" feature already works that way, it shouldn't be surprising to clients (who may have some custom header-based session management).

kevinavery commented 6 years ago

Pull request here https://github.com/softwaremill/akka-http-session/pull/55

adamw commented 6 years ago

Fixed in 0.5.4