Throttle set_session_expires.

[zwn]

set_session_expires used to update the field session_expires in the participants
table on each http hit.

From #1878 (comment)

[seanlinsley]

I've never quite understood with self.db.get_cursor() as c:. I just looked up what with does, and that's actually pretty cool. So, going further:

• What does self.db.get_cursor() do to this code? What would happen without it? Does the FOR UPDATE lock expire at the end of the with block?
• I'm confused how this fixes the problem of multiple threads trying to update the same data. It seems like now those threads might each still attempt the SQL UPDATE at the same time. It's just that now all but one would fail, because the first thread locked the row.

[zwn]

The lock expires with the end of the transaction. When a thread encounters a locked row, it blocks until the lock is released. Therefore only the first thread does the update, the next ones get the updated value and skip the update. Now thinking about it, it can be made simpler.

Please do not merge for now.

[zwn]

@seanlinsley How about now?

[seanlinsley]

Is there really a need to record this event? Seems like that's going to bloat the database without adding value.

[zwn]

The final goal here is to be able to recreate the whole db the events table. So all changes should be logged here. See #1549 (comment) for the general plan.

[seanlinsley]

Why would we ever want to recreate session_expires? Why are we storing this in the database in the first place?

[seanlinsley]

It seems like a signed / encrypted cookie would be a much better approach.

[zwn]

💡 If only you had asked me 17 days ago 😀. I have been trying to find with 🔦 where it is used for some time now. It seems.... surprise surprise... that nowhere ‼️. Thank you!

Just dumping the column session_expires and all code related to it would not change a bit about the site behavior. The participant object is just created from session_token gittip/security/authentication.py#L49. Grepping for expires brings up only code related to writing it.

[chadwhitacre]

35% of our participants table has an expired session (session_token is not null and session_expires < now()).

[chadwhitacre]

(P.S. 1.3% have a non-expired session.)

[chadwhitacre]

I just killed old sessions with this:

update participants set session_token=null where session_expires < now();

Looks like we don't reset session_expires in Participant.end_session, which is also a bug. But we should probably clean up such things in a separate PR, eh?

[chadwhitacre]

@zwn @seanlinsley So what's the next step here?

[seanlinsley]

1. update this PR so we don't store an event
2. update the code so we don't respect expired sessions
3. (optional, after this PR) instead of storing in the database, sign the cookie with something like tokenlib, ref: move caching out of memory #715

[seanlinsley]

In an effort to get through our outstanding PRs, I'm going to take this on.

[seanlinsley]

Rebased on master (7731357 -> 5641344)

[zwn]

@seanlinsley Thanks. The original point of this PR was to "fix" writing to session_expires on each and every hit for signed in users.

[clone1018]

@seanlinsley How can I help get this one done? Do we need a hackaton?

[clone1018]

Just found #2041 (comment) thanks to @seanlinsley . I'll check it out tonight.

[seanlinsley]

Closing this in favor of #2332. Deleting the branch via the Github UI so we can restore it later if needed.