sessions icon indicating copy to clipboard operation
sessions copied to clipboard

Published 20 hours ago verified publisher icon gin-contrib

Delete sessions by value

Open zwhitchcox opened this issue 6 years ago • 4 comments

So, let's say I create a session and save the username to the session, which I then use throughout my api. Any user can have multiple sessions. Then, let's say they change their username. Now, if someone changes their username to the username they previously had, as the usernames are the primary key, they now have access to the new user with that username. So:

  1. User a creates username tom
  2. tom is saved to session
  3. tom changes username to zeke
  4. new user creates account with username tom
  5. zeke now has access to tom's account information, because he has a session with the username value set to tom.

So, I guess I can just make a SERIAL key as the session id, but that still leaves the problem of any session data saved will be stale if it changes, like username. So, is there any way to get all session with the id value set to 1234 example, or do I just need to retrieve all data from the database, just in case it has changed, even if it doesn't change very often?

zwhitchcox avatar Jun 04 '18 14:06 zwhitchcox

This package makes each session with an encrypted ID and stores the ID into the cookie. That is, each session is related not to the user, but to the cookie.

So, with your example,

  1. UserA creates the session with the name tom.
  2. UserA changes his/her username to zeke.
  • But the ID of the session cannot be changed.
  1. UserB creates the session with the name tom.
  2. UserA cannot access the session created in 3. because UserA cannot know the ID in the browser UserB is using.

This package hides the ID of sessions and users cannot access them. So you need not to worry about conflicts or old sessions.

delphinus avatar Jun 05 '18 09:06 delphinus

But ok, Malicious User C creates a bot net to create thousands common usernames across tons of different browsers. Then he changes all the usernames to something random, but he keeps the session cookie. Then he waits until people create those usernames for themselves. Now, he has a cookie associated with their username, and he can access their account.

But ok, say I just associate the session with user_id instead of username (which I have done). Say UserD suspects someone else has gotten his password, and wants to log out of his account across every session. How would I accomplish that?

zwhitchcox avatar Jun 05 '18 13:06 zwhitchcox

So, my solution is to add another value to the session, date_signed_in, and check the last time the user signed everyone else out from the account. if the date_signed_in is after, then delete the session. This is obviously a workaround and inefficient though, and it would be preferable to just be able to delete all sessions a user has.

zwhitchcox avatar Jun 05 '18 15:06 zwhitchcox

Hmm, but your solution cannot permit UserA to use multiple devices at one time. That is, if UserA is using iPhone & Macbook and accessing the same website, the latter logged-in session is only available. That is annoying.

I suggest you should prepare UserID (random string or integer) to distinguish each user and should not use username for it. Then users can have the same name at one time.

delphinus avatar Jun 06 '18 06:06 delphinus