Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

destroy session on logout instead of restarting it #10023

Merged
merged 1 commit into from
Jul 20, 2021
Merged

destroy session on logout instead of restarting it #10023

merged 1 commit into from
Jul 20, 2021

Conversation

xini
Copy link
Contributor

@xini xini commented Jul 13, 2021

IMHO there is no reason to keep the session around after logout? When you visit a public page the session is not started either, so there is no reason to keep a session around after logout.

maxime-rainville
maxime-rainville reviewed Jul 13, 2021
View reviewed changes
Copy link
Contributor

@maxime-rainville maxime-rainville left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looking at Session, it looks like restart will call destroy.

silverstripe-framework/src/Control/Session.php

Lines 246 to 250 in ae61be3

public function restart(HTTPRequest $request)
{
$this->destroy();
$this->start($request);
}

And Session::init() looks like it wants to start a new session if one doesn't already exists.

silverstripe-framework/src/Control/Session.php

Lines 226 to 239 in ae61be3

public function init(HTTPRequest $request)
{
if (!$this->isStarted() && $this->requestContainsSessionId($request)) {
$this->start($request);
}
// Funny business detected!
if (self::config()->get('strict_user_agent_check') && isset($this->data['HTTP_USER_AGENT'])) {
if ($this->data['HTTP_USER_AGENT'] !== $this->userAgent($request)) {
$this->clearAll();
$this->restart($request);
}
}
}

I suspect that in 99% of logouts, you'll be redirected to some page that will want to start a new session.

@xini
Copy link
Contributor Author

xini commented Jul 15, 2021

Hi @maxime-rainville,

Thanks for your reply.

Looking at Session, it looks like restart will call destroy.

Yes, restart does call destroy, but it also restarts a new session. For a normal page without a form a session is not needed. When you visit a default Silverstripe page, a session is not started. Hence we should destroy the session after logout. No?

And Session::init() looks like it wants to start a new session if one doesn't already exists.

Correct, but we don't re-init the session after logout.

I suspect that in 99% of logouts, you'll be redirected to some page that will want to start a new session.

That might be the case, but that really is up to the developer building the site. If the target page needs a session, it can/will create it. But we don't need to force it. right?

@dhensby
Copy link
Contributor

dhensby commented Jul 16, 2021

Whilst I agree with @maxime-rainville that most pages will probably start a session anyway, there's no point forcing the session to be started unless it's really needed. So I think this change is sensible.

I think it should go into 4 branch, though. Not 4.8.

@xini xini force-pushed the fix-destroy-session-on-logout branch 3 times, most recently from e3ee6fb to 7dc5cee Compare July 20, 2021 02:03
@xini xini changed the base branch from 4.8 to 4 July 20, 2021 02:03
@xini xini force-pushed the fix-destroy-session-on-logout branch from 7dc5cee to 3e2ca30 Compare July 20, 2021 02:07
@xini
Copy link
Contributor Author

xini commented Jul 20, 2021

@dhensby I have rebased this. Thanks.

@dhensby
Copy link
Contributor

dhensby commented Jul 20, 2021

Apparently there are some linting issues 😕

@dhensby dhensby merged commit 507c70e into silverstripe:4 Jul 20, 2021
@dhensby dhensby mentioned this pull request Jul 20, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@maxime-rainville maxime-rainville maxime-rainville left review comments

@dhensby dhensby dhensby approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@xini @dhensby @maxime-rainville