Do not write or update sessions or their cookies for API access #14826
Conversation
Accessing the API currently does not, and should not update the user's session. Still, currently we're using it to access the session for authenticating the user. As a result, the session is loaded and we're currently outputting a Set-Cookie header as well as writing the user session on every API request. By using session_options[:skip], we can tell rack to avoid saving the session after the request
|
A call to api will still write an empty session when there is none, seems to be happening only when it is destroyed, so from logout page. |
Co-authored-by: Ivan Kuchin <[email protected]>
|
I realised that setting skip session option will also prevent session id cookie from being set, so the problem is only in creating a useless row in sessions table. Should we worry about this? Is there any automation to cleanup stale sessions? |
Yes, there is a cleanup job: https://github.com/opf/openproject/blob/dev/app/workers/cron/clear_old_sessions_job.rb |
As it is happening when finding a session (ActiveRecordStore#get_session_model), I assume customising that would be required. |
Accessing the API currently does not, and should not update the user's session. Still, currently we're using it to access the session for authenticating the user.
As a result, the session is loaded and we're currently outputting a Set-Cookie header as well as writing the user session on every API request.
By using session_options[:skip], we can tell rack to avoid saving the session after the request