session.regenerate() with regenerate strategy: keep old session data for $session_cookie_discard seconds

Question

session.regenerate() with regenerate strategy: keep old session data for $session_cookie_discard seconds

hoebelix opened this issue 3 years ago · 1 comments

Situation
I am using lua-resty-openidc together with the regenerate strategy. When session.save() gets called by client code, this strategy regenerates the session and the old session data is still available for $session_cookie_discard seconds. In contrast to this, when session.regenerate() gets called by client code, this strategy behaved exactly like the default strategy, i.e. it destroys the old session immediately.

Desired behavior
It would be nice if session.regenerate() would preserve the old session data like session.save() for $session_cookie_discard seconds.

Why?
In my case, lua-resty-openidc calls session.generate() whenever tokens are refreshed. By the explanation above the old session data gets destroyed immediately after the tokens have been refreshed. In case that there are two parallel refreshes, one refresh will fail (because it tries to read data from a no-more existing session) and the user gets logged out.

I think this is closely related to zmartzone/lua-resty-openidc#334

Answer 1 · 2022-01-14T10:37:02.000Z

@hoebelix, yes, regenerate on regenerate strategy should not destroy session, it needs to ttl the old session for sure. I'll fix this for 3.9 release. Thanks you for reporting.