-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ability to extract SessionKey #306
Comments
@LukeMathWalker any quick thoughts on this? It seems like a method like the following would satisfy this use case, punting the actual purge logic to the application. impl Session {
fn key(&self) -> SessionKey
} |
That would work for the Redis case, yes. I'd suggest returning a |
@LukeMathWalker do you envision |
No, it should be added to the |
Is this something you would be interested in working on with me? I imagine this would need to take place in the inner struct of Session? #[derive(Default)]
struct SessionInner {
state: HashMap<String, String>,
status: SessionStatus,
session_key: secrecy::Secret<SessionKey>
} ? Also, I'm a bit confused are you suggesting we need to also pull in the secrecy crate? for this change? |
I can definitely review the PR 😁 Yes, I'm suggesting we pull in the |
@LukeMathWalker Would you be able to help me push this commit through, I'm probably going to need hand holding as I'm feeling a bit in over my head. Am I correct on the route I'm going? Edit: |
It's easier for me to provide feedback if you open a draft PR 👍🏻 |
Ok, I've opened a PR to help move the feedback discussion forward. |
(I'm a bit busy at the moment, I'll try to get to it before the end of the Christmas holidays, but no promises) |
@LukeMathWalker hope you had a great holiday break. Let me know if you're interested in working on this with me. I'm looking forward to learning from you. |
Hi, I have a question regarding the I did search actix-extras but I have not found the answer. In my middleware, I just print out the cookie ...
fn call(&self, request: ServiceRequest) -> Self::Future {
if let Some(value) = request.cookie("id") {
println!("Auth -- Id {:#?}", String::from(value.to_string()));
}
... And every time, I have a different one. I was under the assumption that it stays fixed. Based on the quote above, is this the expected behaviour, please? If I need to implement a unique session Id to identify a client session, am I correct to conclude that this cookie Thank you and best regards, ...behai. |
Hi, @behai-nguyen |
Hi @Mark-Asuncion, I did not find a solution for it, unfortunately. I just like to use a unique
This is my work-around: In my application, I am using JSON Web Token (JWT) for authentication. I build my own unique session identifier UUID onto the JWT. And so everytime a request starts, I look for the token and try to extract my UUID out for logging, and when the request finishes also. -- Of course, we need to handle the absence of the JWT as well as error arised during decoding, etc. It is not an elegant solution... But it is okay for me for the time being. Please update if you make any progress on this. Thank you and best regards, ...behai. |
@behai-nguyen @Mark-Asuncion I have been dealing with the same thing. By default cookies are encrypted as per documentation https://docs.rs/actix-session/0.10.0/actix_session/config/struct.SessionMiddlewareBuilder.html#method.cookie_content_security If you use |
Hi @polarkac, Thank you for very much for your update and suggestion. I appreciate it. Best regards, ...behai. |
Discussed in #305
Originally posted by miketwenty1 December 4, 2022
Goal: Prevent 1 user from having multiple active sessions.
I'm using actix-web redis session middleware.
When a user does a login, I'll go ahead and insert some data into their session.
Seemingly these key/values via the
session.insert
are inner key/values to the actual managed middleware session keys that are made automagically.First question: How can I extract this middleware session id key that redis uses for the inserts/sessions?
My thought is I would go ahead and insert a the userid as a redis key with the value being the middleware redis session id so I could easily lookup and void any sessions that the user may have if logging in again. (seems hacky idk).
Second question: Is there a much easier/cleaner way of doing this while still getting the nice managed sessions from the redis middleware?
The text was updated successfully, but these errors were encountered: