I'm trying to use rocket_session to enable user login. What I'm missing is a feature to destroy a session completely when the user logs out. All I can find here is a clear function, that would remove the user-id and hence log out the user somewhat, but if I then log in again, I would still be in the same session. That would make all existing browser tags/windows from that session suddenly have the new user logged in.
I'd expect a function that
Deletes the cookie on the client, so that new request from that browser
get a new session-id
Deletes the session completely from the store, so that requests using the
old session-id do no longer work in any way.
Right now, it feels like a security issue that could lead to leaking sessions.
I'm trying to use `rocket_session` to enable user login. What I'm missing is a feature to destroy a session completely when the user logs out. All I can find here is a `clear` function, that would remove the user-id and hence log out the user somewhat, but if I then log in again, I would still be in the same session. That would make all existing browser tags/windows from that session suddenly have the new user logged in.
I'd expect a function that
1. Deletes the cookie on the client, so that new request from that browser
get a new session-id
2. Deletes the session completely from the store, so that requests using the
old session-id do no longer work in any way.
Right now, it feels like a security issue that could lead to leaking sessions.
I don't know when I will have time to look at this, if you need it urgently you can try implementing it and send me a merge request (forking works here).
That sounds like a desirable functionality.
I don't know when I will have time to look at this, if you need it urgently you can try implementing it and send me a merge request (forking works here).
Thanks for your reply. I was thinking about creating a pull request, but I ended up writing my own little session implementation. I need only a few values I don't change over the session's lifetime, and I wanted to use my DB as storage, to make sessions persistent. It's easy to do in a specific project, but difficult to do in a general purpose lib, where you don't know what the session backend will be.
Thanks for your work! It helped inspiring how to do it, since I'm still learning how to use rust efficiently.
Thanks for your reply. I was thinking about creating a pull request, but I ended up writing my own little session implementation. I need only a few values I don't change over the session's lifetime, and I wanted to use my DB as storage, to make sessions persistent. It's easy to do in a specific project, but difficult to do in a general purpose lib, where you don't know what the session backend will be.
Thanks for your work! It helped inspiring how to do it, since I'm still learning how to use rust efficiently.
I'm trying to use
rocket_sessionto enable user login. What I'm missing is a feature to destroy a session completely when the user logs out. All I can find here is aclearfunction, that would remove the user-id and hence log out the user somewhat, but if I then log in again, I would still be in the same session. That would make all existing browser tags/windows from that session suddenly have the new user logged in.I'd expect a function that
get a new session-id
old session-id do no longer work in any way.
Right now, it feels like a security issue that could lead to leaking sessions.
That sounds like a desirable functionality.
I don't know when I will have time to look at this, if you need it urgently you can try implementing it and send me a merge request (forking works here).
Thanks for your reply. I was thinking about creating a pull request, but I ended up writing my own little session implementation. I need only a few values I don't change over the session's lifetime, and I wanted to use my DB as storage, to make sessions persistent. It's easy to do in a specific project, but difficult to do in a general purpose lib, where you don't know what the session backend will be.
Thanks for your work! It helped inspiring how to do it, since I'm still learning how to use rust efficiently.