Comments (7)
Yes. That's why sessions should always have an expiry date :) Optionally refreshed with the refresh token - which assumes external storage and "global" invalidation.
from akka-http-session.
If you are using the header transport, then invalidating the session responds with an empty Set-Authorization
header, which is assumed to clear the client's storage. However that's of course up to your code to do that - probably it's worth documenting a bit better? (with cookies, this is done automatically by the browser).
Note that except for refreshable sessions, akka-http-session is stateless - it doesn't store the sessions anywhere, so the library itself has no way of knowing if the token was previously invalidated or not.
from akka-http-session.
@adamw thanks for the explanation.
So this happens due that fact that in akka-http-session a session is a stateless and once it is generated I can use it until its identifier is deleted locally on a client side (browser, mobile device)
Correct?
from akka-http-session.
I'll keep this open to clarify the docs later :)
from akka-http-session.
@adamw deal :)
from akka-http-session.
If you are using the header transport, then invalidating the session responds with an empty
Set-Authorization
header, which is assumed to clear the client's storage.
Hi all, got same problem regarding invalidation. I use InMemoryRefreshTokenStorage[T] and it stores session data well during app lifecycle. I use header transport as well and invalidating the session response with an empty Set-Authorization
header, that's ok. But, regarding the sources
private[session] def invalidateRefreshableSession[T](sc: Refreshable[T], st: GetSessionTransport): Directive0 = {
import sc.ec
read(sc, st).flatMap {
case None => pass
case Some((v, setSt)) =>
val deleteTokenOnClient = setSt match {
case CookieST => deleteCookie(sc.refreshTokenManager.createCookie("").copy(maxAge = None))
case HeaderST => respondWithHeader(sc.refreshTokenManager.createHeader(""))
}
deleteTokenOnClient &
onSuccess(sc.refreshTokenManager.removeToken(v))
}
}
it should remove session from storage, especially with onSuccess(sc.refreshTokenManager.removeToken(v))
but it doesn't.
Could you clarify if everything should work as @adamw described, why this method is here and what for?
Please assume my code is similar to @Fruzenshtein implementation, expanded only by InMemoryRefreshTokenStorage[T], there is no something special.
Thank you for helping.
PS tested with scalatest and curl
from akka-http-session.
@kormoglaz so you are saying that the token is not removed from storage? That should happen ... maybe you can try with a copy of InMemoryRefreshTokenStorage
and with some debugging statements added.
Btw. this storage isn't mean for production, only for testing. It's not thread-safe (but making it such wouldn't be hard, just a different Map
implementation)
from akka-http-session.
Related Issues (20)
- requireSession breaks CORS HOT 3
- RefreshTokenStorage schedule documentation HOT 5
- Infinite loop in RefreshTokenManager HOT 3
- Question: can Cassandra be used as "session"? HOT 2
- Question Regarding unresolved dependency: com.softwaremill#akka-http-session_2.12;0.5.2: not found HOT 2
- on secret management HOT 1
- Redirect unauthenticated request HOT 1
- Session token compatibility across upgrades HOT 8
- Please support Java 9! HOT 2
- Upgrade to akka-stream 2.5 HOT 2
- RSA signing for JWT HOT 1
- Build for Scala 2.13.0 HOT 1
- JWT: Add support for `iss` and `aud` claims HOT 1
- issue refreshing token HOT 7
- Allow separate access/refresh transport
- CSRF protection can be bypassed with empty header and empty cookie HOT 1
- Upgrade to akka streams 2.6.x HOT 2
- CSRF protection can be bypassed HOT 10
- Add SameSite attribute to Cookies HOT 1
- create pekko equivalent? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from akka-http-session.