Is rodauth deleting keys from my session? #302
Replies: 5 comments
-
Yes, that's expected behavior, Rodauth clears the entire session when on login and logout. This is to prevent session fixation attacks, see https://guides.rubyonrails.org/security.html#session-fixation-countermeasures. As far as I know, Devise/Warden also resets the session on logout, though it doesn't seem to do it on login. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the fast response. Although what's confusing is that this does not occur on login or logout: my user is already logged in, and after the issue, my user is still able to click around the app fine. I'm not sure whether it makes a difference but I notice the issue as part of an oauth flow with another app i.e. when a user adds an integration in our app, we redirect them to the relevant site, then when that site redirects the browser to our callback endpoint, it seems our session state has disappeared (but the rodauth-specific session state is still there). I don't know whether the fact that the user has returned from another site makes a difference; it's just that this is the only flow in our site that involves manually setting session keys (for the sake of oauth state comparison in the callback endpoint) and so naturally it's in this flow that we discover this strange behaviour. I'm wondering if perhaps the session is being periodically reset by rodauth as part of some kind of intermittent process, e.g. checking if the session is still active. Maybe occasionally the oauth callback endpoint on my end is hit at the same time that rodauth resets the session. EDIT: For example, I'm using the active sessions feature and I can see in rodauth's code that sometimes it clears the session right before setting it again: https://github.com/jeremyevans/rodauth/blob/ec8be20e8a42f2988be429dda30aa84974124083/lib/rodauth/features/active_sessions.rb#L123 |
Beta Was this translation helpful? Give feedback.
-
If you still stay logged in when this happens, then it doesn't seem to me like Have you tried disabling I'll convert this into a discussion, because it doesn't appear to be a bug in rodauth-rails. |
Beta Was this translation helpful? Give feedback.
-
It doesn't happen consistently, but I'll see if I can reliably reproduce it somehow. I'll also try disabling active_sessions and seeing how that goes. |
Beta Was this translation helpful? Give feedback.
-
I found out what the problem was: I was making multiple simultaneous requests from my SPA frontend: one which set oauth state in the session, and one which didn't. There was a race condition which led to the non-oauth request updating the session and overwriting the contents of the oauth request. The reason I suspected rodauth was the culprit was that the session still had rodauth values in it, but that's just because that's what was present in the prior request. Rails typically re-writes the session with each request so this is to be expected. I solved the issue by just storing oauth state in a separate cookie. Thanks for bearing with me! |
Beta Was this translation helpful? Give feedback.
-
I've got an intermittent issue where it appears that some keys that I've set in my session are being deleted, and I suspect rodauth may be the culprit. I can go from having the following keys in my session:
To having
my_key
andmy_key_2
removed. I suspect that rodauth is clearing the session and re-setting its own values in the session, such that my own session values are cleared too.Here's my RodauthApp:
And here's my rudimentary test that rodauth is capable of clearing my session internally (Using the
clear_session
method which I've found from looking at the rodauth codebase:Which spits out:
I'd like to know:
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions