Skip to content

Reduce usage of the user-side session object #1362

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ColdHeat opened this issue Apr 29, 2020 · 3 comments
Closed

Reduce usage of the user-side session object #1362

ColdHeat opened this issue Apr 29, 2020 · 3 comments
Labels
blocker
Milestone
3.0

Comments

@ColdHeat
Copy link
Member

The user side session is very difficult to modify. We should only store the user's ID in it.

  1. Next major version, cut out all session data besides the user's ID
  2. Make a function that takes user ID and returns the user's properties (name, email, role)
  3. Cache that function with arguments
  4. Invalidate that function's cache key when the user's properties change
@ColdHeat ColdHeat added this to the 3.0 milestone Apr 29, 2020
@ColdHeat
Copy link
Member Author

All user properties should be relegated to cache items. Banned, verified, etc.

@ColdHeat
Copy link
Member Author

With this approach it might be possible to push sessions back to the user's cookie. Not sure if there would be benefits or not.

@ColdHeat ColdHeat mentioned this issue May 29, 2020
Merged
ColdHeat added a commit that referenced this issue Jun 3, 2020
@ColdHeat
Remove keys from session and inject Session class into Jinja (#1456)
52c65ce 
* Closes #1362
* Reduces the session object to just an id, nonce, and security hash
@ColdHeat
Copy link
Member Author

ColdHeat commented Jun 7, 2020

This should be closed with 62b5d4f.

The fundamental point to take away is that a user's ID is stored in the session which denotes that they are authenticated. But their actual information should be cached and capable of being invalidated.

Specifically the hash session value can be invalidated to force the user to re-authenticate.

@ColdHeat ColdHeat closed this as completed Jun 7, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
blocker
Projects
None yet
Milestone
3.0
Development

No branches or pull requests
1 participant
@ColdHeat