use a lib for server side sessions #954

davidcoutadeur · 2024-08-02T17:26:35Z

The goal is to remove things like:

htdocs/sendtoken.php:    ini_set("session.use_cookies",0);
htdocs/sendtoken.php:    ini_set("session.use_only_cookies",1);

in htdocs/sendtoken.php, htdocs/resetbytoken.php, htdocs/sendsms.php (but not necessarily for lib/captcha/InternalCaptcha.php which needs a session maintained at client side)

For this, we need to find a way to maintain server side sessions. Ideally with multiple possibilities of storage (file, redis,...)

Depending on the complexity, maybe we won't have time for doing this in 1.7.0.

The text was updated successfully, but these errors were encountered:

davidcoutadeur · 2024-08-02T17:40:10Z

See also the conversation in this PR: https://github.com/ltb-project/self-service-password/pull/949/files#diff-60c04a04215ce092db74c81c7eaf4bf5e6c49f796b4ae6e3c526ce70758f33f6

davidcoutadeur · 2024-08-28T17:48:48Z

I have found and implemented a solution based on Symfony cache.

See #967

It's quite extendable. For example, we could define another storage simply: memcached, redis,... Complete list here: https://symfony.com/doc/current/components/cache/cache_pools.html

TODO:

add documentation. At least add an upgrade note for explaining the loss of previous sessions
manage cache expiration for each use case, especially when there is already an expiration defined in the token saved in cache
add some cache parameters in default configuration file
test more deeply the new feature
reference new composer dependency in debian, red-hat packages, and select appropriate version of symfony/cache in composer.json

- add upgrade notes, - add cache parameters in config, - remove expired cache entries, - remove some warning messages, - security: always display the same message: invalid token even if the user is not found in ldap, - add more logs, - set an expiration time for each cache entry

- use symfony cache for managing sessions, - add upgrade notes, - add 2 cache parameters in config, - remove expired cache entries, - remove some warning messages, - security: always display the same message: invalid token even if the user is not found in ldap, - add more logs, - set an expiration time for each cache entry, - set symfony/cache version in composer.json, - adding new cache bundled dependencies in packages and doc

davidcoutadeur added the enhancement label Aug 2, 2024

davidcoutadeur added this to the 1.7.0 milestone Aug 2, 2024

davidcoutadeur self-assigned this Aug 2, 2024

davidcoutadeur pushed a commit that referenced this issue Aug 28, 2024

use symfony cache for managing session-side storage (#954)

0074476

davidcoutadeur mentioned this issue Aug 28, 2024

use symfony cache for managing session-side storage (#954) #967

Merged

davidcoutadeur pushed a commit that referenced this issue Sep 9, 2024

set symfony/cache version (#954)

7fb1974

davidcoutadeur pushed a commit that referenced this issue Sep 9, 2024

adding new cache bundled dependencies in packages and doc (#954)

5ad0bb9

davidcoutadeur closed this as completed in #967 Sep 9, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

use a lib for server side sessions #954

use a lib for server side sessions #954

davidcoutadeur commented Aug 2, 2024

davidcoutadeur commented Aug 2, 2024

davidcoutadeur commented Aug 28, 2024 •

edited

Loading

use a lib for server side sessions #954

use a lib for server side sessions #954

Comments

davidcoutadeur commented Aug 2, 2024

davidcoutadeur commented Aug 2, 2024

davidcoutadeur commented Aug 28, 2024 • edited Loading

davidcoutadeur commented Aug 28, 2024 •

edited

Loading