Expired Sessions in a Browser App

ellioseven · July 30, 2020, 1:48am

I’ve got some questions about how to deal with expired sessions in a browser app. It seems like the whoami endpoint returns session data even if the session has expired. So I need to handle that myself?

It seems to me that the login?refresh=true endpoint needs to be used to refresh that session. However the user has to enter their password, which isn’t really ideal in this case. It means I have to set a long session expiry, say 24 hours.

Are there any major security implications of having a long session expiry? Is there a way for a user to extend their session without having to “log in again”?

hackerman · July 30, 2020, 11:47am

The issue has been resolved on master and we’ll also be adding a secondary check. The problem was that the cookie expiry time was not correctly being set. So there’s no need for you to work around this, it’s just a bug right now

Logout behaves correctly!

hackerman · July 30, 2020, 12:37pm

tnm0113 · August 31, 2020, 8:28am

I have pulled latest code on master, built docker and deployed to k8s, but it seems log out flow doesnt work correctly. After logging out from browser, i request to whoami endpoint with session id in cookie and still get result with valid session. Or i misundestand the point that when log out we doesnt set session expire ?

hackerman · September 5, 2020, 2:29pm

There’s another patch which is part of a bigger change waiting to be merged. It adds active flags to sessions to ensure valid sessions!