Blocked by #4166 (see the comment #4166 (comment)).

What should be done?

• https://www.mongodb.com/docs/manual/reference/command/startSession/#mongodb-dbcommand-dbcmd.startSession

Implementation details

Identifiers

When referenced as lsid (e.g. in command requests), a session is represented by UUID.

When the session is returned in the list of sessions (and also used in some commands), it's represented as an object like this:

_id: {
      id: UUID('b5309a1f-c9c3-4608-9d4e-e058281e4737'),
      uid: Binary.createFromBase64('hobAqu900H1RX9+3UKSg6zEaoyg2IU0ukeytvJ2Vgbo=', 0)
    }

Here id is a UUID (same as lsid above) and uid base64 string is a sha256 of a user@authenticationDatabase string (in this example, username@admin).

Authentication

If authentication is not enforced (even if a user was used to connect to MongoDB), uid will always be a sha256 of an empty string. Its base64 is 47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=.

If authentication is enforced, each user will have their own uid (username + authenticationDatabase).

The logic & decisions

• Right now, we only store sessions in memory (not in a collection).
• For each session, we need to know user, authentication database, uuid and the date when the session was used last time.
• Each time when a session is used, the used time should be updated.
  • It can also be updated through refreshSessions (to be implemented in Implement refreshSessions command #1553).
• To ensure that sessions are not stored forever, we need to cleanup sessions older than the given timeout (default value is 30 min).
• It is possible to mark session as expired before the timeout, see endSessions (to be implemented in Implement endSessions command #1549).
• Sessions can be killed immediately (to be implemented in Implement killSessions command #1552, Implement killAllSessions command #1550, Implement killAllSessionsByPattern command #1551).