Skip to content

feat(*): Redis-backed revocation for stateless cookie sessions#208

Open
Hockenba wants to merge 7 commits into
bungle:masterfrom
geico:master
Open

feat(*): Redis-backed revocation for stateless cookie sessions#208
Hockenba wants to merge 7 commits into
bungle:masterfrom
geico:master

Conversation

@Hockenba

@Hockenba Hockenba commented Jul 2, 2026

Copy link
Copy Markdown

Summary

This PR adds optional Redis-backed session revocation store for stateless (cookie) sessions. On session:open, the library checks whether the session ID has been revoked. On session:destroy, it writes a lightweight sentinel to Redis with a TTL matching the session’s remaining lifetime—no session payload is stored.

Revocation is opt-in via revocation and revocation_fail_mode. It only applies when storage is nil or "cookie". The default fail mode is "open" (if Redis is unreachable, sessions are treated as valid and destroy still clears the cookie); "closed" rejects open/destroy when the store is unavailable.

Revocation applies to full destroy/logout, but not to session rotation on session:save or partial multi-audience logout—those cookies remain valid until their normal timeout or stale_ttl expires.

Test plan

  • spec/06-revocation-1_spec.lua
  • spec/07-revocation-2_spec.lua

Drop redundant open tests and post-open revocation mutation; exercise
revocation via redis.mode and real Redis integration where possible.

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant