You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, both the client side session (see HERE) and the server side session (see HERE) require the max_age parameter to be set (either explicitly or by using the default value). This makes impossible to create session-only cookies - sessions that disappear, when the browser is closed.
Client Side
This is pretty straightforward - the Cookie datastructure already supports max_age being None and it is passed from the session config.
I think only changing the field type in CookieBackendConfig and the post-init validator should suffice
Server Side
This is more complicated, as the max_age not only applies to the cookie but to the store as well. The ServerSideSessionBackend supports setting the expiration to None. The complication is that this way it would be impossible to check for which sessions are stale as the backend does not know whethet the browser has been closed or not.
The solution I can think of is adding an optional field to the config which would allow setting the server-side max_age separately, which would be by default set to the cookie max_age. Something like a session_max_age parameter. It could be also set to None as this is allowed for Stores
redis=Redis()
store=RedisStore(redis)
app=Litestar(
route_handlers=[index],
stores={"sessions": store},
middleware=[ServerSideSessionConfig(max_age=None, session_max_age=1000).middleware], # or maybe some other way
)
Summary
Introduction
Currently, both the client side session (see HERE) and the server side session (see HERE) require the
max_age
parameter to be set (either explicitly or by using the default value). This makes impossible to create session-only cookies - sessions that disappear, when the browser is closed.Client Side
This is pretty straightforward - the Cookie datastructure already supports
max_age
beingNone
and it is passed from the session config.I think only changing the field type in CookieBackendConfig and the post-init validator should suffice
Server Side
This is more complicated, as the
max_age
not only applies to the cookie but to the store as well. The ServerSideSessionBackend supports setting the expiration toNone
. The complication is that this way it would be impossible to check for which sessions are stale as the backend does not know whethet the browser has been closed or not.The solution I can think of is adding an optional field to the config which would allow setting the server-side
max_age
separately, which would be by default set to the cookiemax_age
. Something like asession_max_age
parameter. It could be also set to None as this is allowed for StoresBut maybe someone will have a better idea?
Basic Example
Client-side
Server-side
Drawbacks and Impact
No response
Unresolved questions
No response
Note
While we are open for sponsoring on GitHub Sponsors and
OpenCollective, we also utilize Polar.sh to engage in pledge-based sponsorship.
Check out all issues funded or available for funding on our Polar.sh Litestar dashboard
The text was updated successfully, but these errors were encountered: