sessionauth
sessionauth copied to clipboard
martini-contrib
Renewing sessions
It is typical for a session token to be renewed on every API call. What strategy would we use to do this with the sessionauth package? It looks to me like the SessionUser() function that is inserted into the flow could do this whenever a user is successfully matched by calling Save() on the martini-contrib session. Any thoughts?
The mechanism I came up with for renewing sessions is to call AuthenticateSession() from my LoginRequired() function; i.e. no change needed to martini-contrib. However, in my testing I noticed that the first call to IsAuthenticated() after a session has expired on the server is succeeding; exposing a security hole. To address this I expose the IsNew value from gorilla/sessions as a function on martini-contrib/sessions. Let me know if you want this change.
func SessionUser(newUser func() User) martini.Handler {
return func(s sessions.Session, c martini.Context, l *log.Logger) {
userId := s.Get(SessionKey)
user := newUser()
if userId != nil {
err := user.GetById(userId)
if err != nil {
l.Printf("Login Error: %v\n", err)
} else if !s.IsNew() {
user.Login()
}
...
It's been too long since I've looked at this to be a good judge. But if it's a security concern then we should certainly merge it. Could you send in a PR?
Thanks!!
Note, the change in sessionauth requires the change in sessions. The security concern is that after the session expires exactly one API call is authenticated. When calls are coming all the time this is not an issues; session expires and calls begin to fail soon after. However, if the user leave a window open and goes to lunch some other person can come and make a single change without authenticating.
Unfortunately the automated checks are failing for something unrelated to my changes. I don't have the environment to reproduce and debug these failures. The code compiles just fine for me both before and after my changes.