Clarify session.delete() behavior

Question

Clarify session.delete() behavior

benatto opened this issue 5 years ago · 1 comments

Hello,

I was looking at the beaker documentation about session.delete() method. There it says:

"Calling the delete() method deletes the session from the back-end storage and sends an expiration on the cookie requesting the browser to clear it:"

https://beaker.readthedocs.io/en/latest/sessions.html#deleting

However a few lines further we have:

"Removing Expired/Old Sessions

Beaker does not automatically delete expired or old cookies on any of its back-ends. This task is left up to the developer based on how sessions are being used, and on what back-end."

https://beaker.readthedocs.io/en/latest/sessions.html#removing-expired-old-sessions

Looking at the code it indeed seems to no clean-up cookies from any non-transient storage. May I have your help to double check if this is the right behaviour? I mean, on delete()'s documentation it claims it removes the old session/cookies from back-end storage on the other hand "Removing Expired/Old Sessions" states cookies are not deleted from the back-end.

Answer 1 · 2020-09-24T08:45:27.000Z

As I understand from code, the delete() method does not delete sessions but saves them without values. So it is possible to read them back knowing the ID, but there will be no useful data.
If the session is expired, it is still stored, but with an expired date. Same for old sessions - they will be stored forever.