-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
session invalidation with redis #58
Comments
while you logout in tab1, tab2 is processing an endpoint is that the pattern ? |
The case you described is valid. The first request, which destroys the session, wins. Any other will initiate a new session. Your workaround, actually, is not a workaround but a good custom app-specific backend. |
Yes |
The issue here is that connections are concurrent, so even if the first request destroys the session since the second request read the session before it got destroyed, the session will be saved again by the second request. |
The semantics of starsessions API looks good to me (first request must WIN), it's just a bug of the Redis backend. |
As I understood, the issue is not with backend. The Can you attach a code snippet to reproduce locally? |
I created a test case of the issue here: #59 |
Hi - is there any intent to fix this or should we use the workaround? |
Currently, Redis backend has some issues during logout, with concurrent requests.
If the browser has two tabs opened to the applications, on the first tab the user "logout" (let's call it REQ1) and on the second tab the application does some background jobs and issues HTTP requests (this one will be REQ2).
In worst-case scenario here is what happens with the session object on the server side:
REQ1
start and load the session withsession_id=XXX
REQ2
start and load the session withsession_id=XXX
REQ1
clear the session, starsessions remove the Redis key withsession_id=XXX
and generate a newsession_id=YYY
REQ1
finish and savesession_id=YYY
to browser cookieREQ2
finish and starsessions save the session and re-create the Redis key forsession_id=XXX
REQ1
finish and savesession_id=XXX
to browser cookieSince the Redis key has been recreated and the last request the browser has seen is with
session_id=XXX
, the user will not really be logged out.Here is a fix I use to workaround this issue:
The text was updated successfully, but these errors were encountered: