sessions
sessions copied to clipboard
Delete sessions by value
So, let's say I create a session and save the username to the session, which I then use throughout my api. Any user can have multiple sessions. Then, let's say they change their username. Now, if someone changes their username to the username they previously had, as the usernames are the primary key, they now have access to the new user with that username. So:
- User a creates username
tom
-
tom
is saved to session -
tom
changes username tozeke
- new user creates account with username
tom
-
zeke
now has access totom
's account information, because he has a session with theusername
value set totom
.
So, I guess I can just make a SERIAL
key as the session id, but that still leaves the problem of any session data saved will be stale if it changes, like username. So, is there any way to get all session with the id
value set to 1234
example, or do I just need to retrieve all data from the database, just in case it has changed, even if it doesn't change very often?
This package makes each session with an encrypted ID and stores the ID into the cookie. That is, each session is related not to the user, but to the cookie.
So, with your example,
- UserA creates the session with the name
tom
. - UserA changes his/her username to
zeke
.
- But the ID of the session cannot be changed.
- UserB creates the session with the name
tom
. - UserA cannot access the session created in 3. because UserA cannot know the ID in the browser UserB is using.
This package hides the ID of sessions and users cannot access them. So you need not to worry about conflicts or old sessions.
But ok, Malicious User C creates a bot net to create thousands common usernames across tons of different browsers. Then he changes all the usernames to something random, but he keeps the session cookie. Then he waits until people create those usernames for themselves. Now, he has a cookie associated with their username, and he can access their account.
But ok, say I just associate the session with user_id
instead of username (which I have done). Say UserD suspects someone else has gotten his password, and wants to log out of his account across every session. How would I accomplish that?
So, my solution is to add another value to the session, date_signed_in
, and check the last time the user signed everyone else out from the account. if the date_signed_in
is after, then delete the session. This is obviously a workaround and inefficient though, and it would be preferable to just be able to delete all sessions a user has.
Hmm, but your solution cannot permit UserA to use multiple devices at one time. That is, if UserA is using iPhone & Macbook and accessing the same website, the latter logged-in session is only available. That is annoying.
I suggest you should prepare UserID (random string or integer) to distinguish each user and should not use username for it. Then users can have the same name at one time.