persist cookie id or data.id between sessions/expired sessions/manipulated sessions

Question

persist cookie id or data.id between sessions/expired sessions/manipulated sessions

amlwwalker opened this issue 4 years ago · 3 comments

hi,

I am using this library to set a cookie based on some external factor. If the external factor returns true, then a cookie is created and returned as expected.

local this_session = session.open()
if this_session == nil then
    this_session = session.start({ name = ngx.var.session_name or "session", secret = ngx.var.session_secret or nil })
elseif session.present then
-- ....
end
if this_session.data.external_factor == true then
-- ...
end

The above seems to work nicely, in that a user who doesn't have a session gets one if the session is nil and then I can check the external factor and if it returns true then I can set properties on the data of the session.

However I have set the expiry to less than a minute as I want to expire the cookie and check the external factor again regularly. My goal however is, if a cookie is sent as part of the request, even if its expired, keep some for of identifier between sessions, even if the previous one has expired and a new one is requied.

The issue is that if its expired, the whole cookie is renewed and I lose a reference to the id or data.id and so I can't know if its the same user, just getting a new session.

So, the question, if a cookie is received as part of a request, regardless of expiration, is there a way I can still get some form of identifier from the cookie that I can then set in the new cookie (id or data.id) so i can keep track of the same user?

Thanks

Answer 1 · 2021-06-09T14:33:26.000Z

@amlwwalker, that feels like a good idea for addition. Let me think about it. Thank you!

Answer 2 · 2021-06-09T16:26:58.000Z

Thanks.

To elaborate on my requirements:

if the cookie is expired, I still need to be able to access the data object as I need the new cookie to contain the same/similar data
if I cant decrypt the cookie (its been tampered with) I need to know this was the case? is there an error somewhere I can use?
I need to be able to keep an identifier that this is one and the same client requesting this information, even if the cookie is expired.

i.e how can I know if its an existing, and if so access data about it, or its brand new, or its not new but its corrupted.

Im playing with the code snippet above as we speak. Please can you confirm, so I can stop playing, that none of these three bullet points are currently possible to do with the current code base? Just so I can keep my sanity hahaha

Answer 3 · 2021-07-28T11:09:37.000Z

Hey @bungle - just wondering how you got on with this and if you made any progress with it - thanks!