Wednesday, December 28, 2016

Re: bug of session middleware --- session never expires

On Sunday 25 December 2016 18:42:16 Chaos Wong wrote:

 

> Thanks for the advice.

> It's indeed a rude way to force session to expire only depend on the

> absolute time. User always encounters session-expired event when

> posting something.

> I will consider your way 3). But how the django know user has closed

> the browser ?

 

It doesn't. The browser does.

When a cookie does not have an expiration time set, the cookie is not stored on disk but only in memory. When the browser is closed, the cookie is gone.

That means when the browser is opened again, it cannot send the session ID in the cookie anymore. This means a new session should be created (new login), and the old session should not be requested anymore and will eventually be evicted.

This also means that there will be a time window where the server session is valid, while the browser doesn't know about it anymore. So the old session could be taken over by someone listening on the wire. This is why encryption is paramount and browser now support Strict Transport Security.

 

--

Melvyn Sopacua

No comments:

Post a Comment