Skip to content

Destroy session completely #1201

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 25, 2017
Merged

Destroy session completely #1201

merged 1 commit into from
Oct 25, 2017

Conversation

Martii
Copy link
Member

@Martii Martii commented Oct 25, 2017

  • When logging out destroy the current session not only in the User model but also the session store
  • Currently maxAge is set to expire at browser session end... client side cookie goes away at browser private data clear but sessionId in the store sticks around for quite some time. Logging out means destroy it and login again later.
  • Leaving the old delete in for extra cautiousness... not really needed imho as it throws an error outside of it after destroy()

Related to #604

@Martii
Destroy session completely
95857e5 
* When logging out destroy the current session not only in the User model but also the session store
* Currently `maxAge` is set to expire at browser session end... client side cookie goes away at browser private data clear but sessionId in the store sticks around for quite some time. Logging out means destroy it and login again later.
* Leaving the old `delete` in for extra cautiousness... not really needed imho as it throws an error outside of it after `destroy()`

Related to OpenUserJS#604
@Martii Martii added bug You've guessed it... this means a bug is reported. CODE Some other Code related issue and it should clearly describe what it is affecting in a comment. DB Pertains inclusively to the Database operations. security Usually relates to something critical. labels Oct 25, 2017
@Martii Martii merged commit f4bd642 into OpenUserJS:master Oct 25, 2017
@Martii Martii deleted the removeFromSessionStoreOnRemove branch October 25, 2017 22:52
@Martii Martii added the needs mitigation Needs additional followup. label Oct 25, 2017
@Martii
Copy link
Member Author

Martii commented Oct 25, 2017

Adding needs mitigation label for the TODO: which entails possibly utilizing the callback and error checking.

Ref(s):

Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jun 11, 2018
@Martii
GDPR5
a3177aa 
* Destroy session instead of just blanking out the User object \*confused as to why this was done but pre-me joining\*
* This is another session leak discovered last week and is our current orphan from OpenUserJS#1409... will clean up in a while
* One comment typo that's been elusive every time I want to fix it

NOTES:
* Now satisfied with "logout" destroy as it seems to be working well every test... so removed fallback
* "There... is... another... \*gasp\*" * Yoda *(working on twiddling to create a fix for it)*

Related to OpenUserJS#604 OpenUserJS#1201 and OpenUserJS#1393
@Martii Martii removed the needs mitigation Needs additional followup. label Jun 11, 2018
@Martii Martii mentioned this pull request Jun 11, 2018
Merged
Martii added a commit that referenced this pull request Jun 11, 2018
@Martii
GDPR5 (#1411)
d58b8f8 
* Destroy session instead of just blanking out the User object *(and cookie)* \*confused as to why this was done but pre-me joining\*
* This is another session leak discovered last week and is our current orphan from #1409... will clean up in a while
* One comment typo that's been elusive every time I want to fix it

NOTES:
* Now satisfied with "logout" destroy as it seems to be working well every test... so removed fallback
* "There... is... another... \*gasp\*" * Yoda *(working on twiddling to create a fix for it)*

Related to #604 #1201 and #1393
Martii added a commit to Martii/OpenUserJS.org that referenced this pull request Jun 12, 2018
@Martii
GDPR8
c3ee2ee 
* Use very short session before successful auth. Session "bleeding" briefly mentioned at OpenUserJS#1411 . This is "expanded" after successful auth.
* Output `originalMaxAge` for sync check in *express-session* via MongoDB
* Don't easily expose improper/expired callbacks. Part of OpenUserJS#37
* Remove some currently unneeded `return` statements already captured by block braces

Related to OpenUserJS#604 OpenUserJS#1201 OpenUserJS#1202 and OpenUserJS#1393
@Martii Martii mentioned this pull request Jun 12, 2018
Merged
Martii added a commit that referenced this pull request Jun 12, 2018
@Martii
GDPR8 (#1416)
8c35610 
* Use very short session before successful auth. Session "bleeding" briefly mentioned at #1411 . This is "expanded" after successful auth.
* Output `originalMaxAge` for sync check in *express-session* via MongoDB
* Don't easily expose improper/expired callbacks. Part of #37
* Remove some currently unneeded `return` statements already captured by block braces

Related to #604 #1201 #1202 and #1393 

Auto-merge
@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 5, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
bug You've guessed it... this means a bug is reported. CODE Some other Code related issue and it should clearly describe what it is affecting in a comment. DB Pertains inclusively to the Database operations. security Usually relates to something critical.
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Martii