Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to invalidate a session? #98

Closed
ComboStyle opened this issue Jun 14, 2016 · 2 comments
Closed

How to invalidate a session? #98

ComboStyle opened this issue Jun 14, 2016 · 2 comments

Comments

@ComboStyle
Copy link

ComboStyle commented Jun 14, 2016
edited
Loading

Hi nice project but there are some things I do not fully understand

  1. (not related to the title) what is the differences exactly between this package and the auth-cookie package?
  2. How can I invalidate a session? (for example when a user clicks on logout)
  3. How can I invalidate a session when the current session belongs to another use (for example admin wants to remove admin rights from another account, current session is admin A and I want to invalidate a different session which belongs to admin B)

I'm thinking to use yar as a pure session implementation with Redis as the session backend cache.

(by the way if I use yar as a pure session, does it store the sesssion ID in the cookie? and does it sign the session ID?)

Thanks in advance

EDIT: Pure session = maxCookieSize: 0
@mark-bradshaw
Copy link
Contributor

Hi @kfir124

  1. Yar and auth-cookie are parallel projects, but not connected in any way. I'm not intimately familiar with AC, but I'll give this question a shot. Yar is simpler to use IMO. AC has additional complexities. Auth-cookie, as the name suggests, ties into the authentication layer of Hapi and so requires a user be logged in to use it. Yar has no such requirements. Sessions are independent of logins. Another difference, as I understand it, is in storage size. Yar handles arbitrary length data sizes but automatically dropping data into the hapi cache layer if necessary, though it tries to use cookies where it can. AC can use a cache fallback, but you have to handle that manually. I'd suggest just looking over the docs for both and seeing which seems to appeal more.
  2. When the user logs out use yar.reset() to clear out the session.
  3. That's trickier. I'm afraid there's no direct way to target a specific session of another browser/user. You'll need to write some code to check for invalidated sessions and clear them, or double check admin permissions instead of relying on the session to grant access. Something like that.

Using yar with redis is very common. Just setup redis as your hapi caching layer (https://github.com/hapijs/catbox-redis) and you're all good. Yar will do the rest.

The session id is kept in the cookie, and the cookie is always encrypted.

@lock
Copy link

lock bot commented Jan 9, 2020

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

@lock lock bot locked as resolved and limited conversation to collaborators Jan 9, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mark-bradshaw @ComboStyle