-
-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Controlling session expiration #174
Comments
perhaps this is better asked at the lua-resty-session project |
OK I will do that. I wasn't sure if lua-resty-openidc was invoking the methods of lua-resty-session itself to store it's cookie or if it just relied on whatever lua-resty-session is doing out of the box. Thanks. |
yes, it does the latter indeed |
Thank you Hans. Indeed I found the answer to my question in bungle/lua-resty-session#44 (comment). If anybody who reads this has the same issue, the main point is that the session cookie is updated if the session:save() method is invoked. This happens when lua-resty-openidc refreshes the JWT tokens. But if you don't have anything else touching the session and you have configured your OP to issue access token with a longer lifetime than your session, you can reach the end of your session without any token refresh and therefor the session cookie would expire even if you had many requests/responses going through Nginx. In my case I have resolved the issue by making the token lifetime a fraction of the session cookie lifetime. I guess another solution could be to call session:save() or session:regenerate() explicitly myself when needed. But I didn't want to have to deal with the logic of deciding when it is time to renew the session cookie or not. It would be nice if lua-resty-session had some sort of session:regenerateIfNeeded() method. By the way another pitfall is the way $session_cookie_renew is used by default bungle/lua-resty-session#44 (comment). I've set my $session_cookie_renew equal to my $session_cookie_lifetime just to be safe. |
I'm re-opening because I guess we need to take a better look at this. |
have the session cookie renewed according to `session.cookie.renew` and `session.cookie.lifetime` settings Signed-off-by: Hans Zandbelt <hans.zandbelt@zmartzone.eu>
I believe we should just call |
Sure, I can do that. I might need a couple of days however before I can get to it. |
Sorry for the delay, have been traveling. |
ah, good point indeed; but: didn't we call start for those paths anyhow? not 100% sure but it seems like managing your own session outside of |
which means you could have used the session before calling into lua-resty-openidc when you knew the user was authenticated and knew the token wasn't going to get refreshed. So I agree, it is very unlikely this is going to break backwards compatibility unless you've been willing to deal with your session getting destroyed every now and then anyway. |
ok, I don't feel we should worry about that since it was never part of any "advertised" capability |
Everything works as expected as far as I can tell. I have done two test cases. In both cases my IDP (Ping Federate) is configured to issue tokens that expire far in the future in order to avoid any interaction with the IDP after the initial authentication flow. In test case 1, my NGINX config had:
After the initial authentication, I get a cookie that has an expiration in 3 minutes as expected. Following requests in the next 2 minutes don't get new cookies (no Set-Cookie header in the response). After 2 minutes but before 3 (i.e. during the renew period), if I send a request, the responses comes with a new set of cookies valid for another 3 minutes. I continue to send requests for 2 minutes, the cookies remain the same again. This time in the last minute before the expiration of the current cookie (i.e. during the renew period), I stop sending requests to let the session expire, then once it happened if I send a request I get a 401 as expected. In test case 2, I changed my NGINX config to:
This is closer to what I am planning to use in production. After the initial authentication, I get a cookie that has an expiration in 3 minutes as expected. Every subsequent request gets a new set of cookies valid for another 3 minutes. If I don't send any request for more than 3 minutes, then I get a 401 as expected. I am closing this issue but let me know if you see another worthwhile test case. Now that I have everything setup, it should be pretty quick for me to test. |
many thanks @thomasleplus |
…open use session.start instead of session.open; see #174; thanks @thomasleplus
Hello,
I am facing an issue getting precise control over the lifetime of the session. I think that there is something I have trouble understanding in the interaction between lua-resty-session and lua-resty-openidc. I have configured my OP to give tokens valid for 1 day in order to take the refreshing of the token out of the picture for now. I am only trying to figure out how the nginx session work.
Below is an extract of my nginx.conf where I am trying to set a lifetime for my session of 10 minutes:
However if I send a request after 5 minutes, I get a 401 response with the following messages in nginx logs:
I am failing to understand why "Session info request is either unauthenticated or authentication has expired" at only 5 minutes instead of 10. When I had $session_cookie_lifetime set at 1 hour (3600) it seemed like the session was expiring at around 30 minutes so again half of the intended value.
Any suggestion would be greatly appreciated.
Cheers,
Tom
The text was updated successfully, but these errors were encountered: