Separate rotation and expiry of sessions
If a session is rotate in the middle of a server side rendering then some random portions of requests made on the server side will fail with a session taken error as the server is not going to update the cookies of the client during these requests. To avoid this pitfall extend the expiry time of sessions to be 10 seconds after the session has been rotated. This is accomplished by introducing a new timestamp on sessions called the rotateAt at time alongside the expiresAt time. Sessions used after rotateAt that haven't been rotated get rotated into a new session and the existing session gets the expiresAt time set to 10 seconds in the future. Sessions that are past the expiredAt time have no access. This makes the logic around session expiry simpler, and also makes it possible to audit when a session got rotated, and to mark sessions as expired without a chance to rotate to a new session without having to resort to a finished flag.
This commit is contained in:
parent
352362b9c3
commit
3f492edea2
10 changed files with 37 additions and 38 deletions
|
|
@ -18,9 +18,8 @@ export default defineEventHandler(async (event) => {
|
|||
const nowMs = Date.now();
|
||||
for (const session of sessions) {
|
||||
if (
|
||||
!session.finished
|
||||
&& session.successor !== undefined
|
||||
&& session.expiresAtMs < nowMs
|
||||
session.successor !== undefined
|
||||
&& (session.expiresAtMs === undefined || session.expiresAtMs < nowMs)
|
||||
&& session.accountId === serverSession.accountId
|
||||
) {
|
||||
session.expiresAtMs = nowMs;
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue