Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix invalid session ID handling #2347

Merged
merged 1 commit into from May 6, 2020
Merged

Fix invalid session ID handling #2347

merged 1 commit into from May 6, 2020

Conversation

tanner0101
Copy link
Member

@tanner0101 tanner0101 commented May 6, 2020
edited

Requests containing unrecognized session IDs will now result in a new session being created (#2347, fixes #2339).

This fixes a problem where clearing browser cookies would be required after changing Vapor's session driver.

@tanner0101 tanner0101 added bug Something isn't working semver-patch Internal changes only labels May 6, 2020
@tanner0101 tanner0101 added this to Awaiting Review in Vapor 4 via automation May 6, 2020
@tanner0101 tanner0101 marked this pull request as ready for review May 6, 2020 15:31
@tanner0101
Copy link
Member Author

tanner0101 commented May 6, 2020
edited

Previously SessionMiddleware would treat unrecognized session identifiers as valid sessions with empty data. This would result in a session update query instead of create when adding new data. Session update on invalid identifiers is undefined behavior. For the Fluent driver, this results in the data being discarded.

Now, if a session identifier is not recognized, the invalid identifier is discarded and a new session with a new identifier is created. This means passing an invalid identifier has the same behavior as passing no identifier at all. I think this makes more sense than throwing an error since session identifiers can become invalid or expire normally.

tdotclare
tdotclare approved these changes May 6, 2020
View reviewed changes
Sources/Vapor/Sessions/SessionsMiddleware.swift
} else {
// Session id not found, create new session.
request._sessionCache.session = .init()
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me!

@tanner0101 tanner0101 merged commit 74bbf36 into master May 6, 2020
Vapor 4 automation moved this from Awaiting Review to Done May 6, 2020
@tanner0101 tanner0101 deleted the tn-invalid-session-id branch May 6, 2020 16:38
@tanner0101
Copy link
Member Author

These changes are now available in 4.5.1

pull bot pushed a commit to scope-demo/vapor that referenced this pull request May 7, 2020
@tanner0101 @pull
fix invalid session id handling (vapor#2347)
ee928ed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tdotclare tdotclare tdotclare approved these changes

Assignees
No one assigned
Labels
bug Something isn't working semver-patch Internal changes only
Projects
Vapor 4
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Problem persisting session data to database
2 participants
@tanner0101 @tdotclare