Comments (7)
It seems like the session in the cache is getting renewed if there is any activity after 15 minutes, not during the whole 30 of the TTL? The following is what happens when I make the request to a page when I have 900000 ms left for the timer.
iex(38)> [info] GET /rooms/810fa5
[debug] Processing with DemoWeb.RoomController.show/2
Parameters: %{"id" => "810fa5"}
Pipelines: [:browser, :logged_in]
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.get([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache._get([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.delete([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.handle_cast({:delete, [ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657"}, %Demo.Pow.SessionCache{invalidators: %{"demo_bbf48417-285a-4a14-bf0d-335e2b0fc657" => #Reference<0.492836512.4277665794.247912>}})
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._delete([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.put([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563})
[debug] QUERY OK source="sessions" db=2.4ms queue=0.5ms
UPDATE "sessions" AS s0 SET "expired_at" = now() WHERE (s0."key" = $1) ["credentials:demo_bbf48417-285a-4a14-bf0d-335e2b0fc657"]
INSERT INTO "sessions" AS s0 ("key","user_id","value") VALUES ($1,$2,$3) ON CONFLICT ("key") DO UPDATE SET "user_id" = $4, "value" = $5, "expired_at" = $6 ["credentials:demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", 4, <<131, 104, 2, ...>>, nil]
[info] Sent 200 in 21ms
# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.delete([ttl: 1800000, namespace: "credentials"], nil)
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.clear_invalidator(%{"demo_bbf48417-285a-4a14-bf0d-335e2b0fc657" => #Reference<0.492836512.4277665794.247912>}, "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.handle_cast({:cache, [ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563}}, %Demo.Pow.SessionCache{invalidators: %{}})
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._update([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563}, [update_db?: true])
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._db_insert("credentials:demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563})
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.update_invalidators([ttl: 1800000, namespace: "credentials"], %{}, "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")
# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.clear_invalidator(%{}, "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")
iex(41)> state = :sys.get_state Demo.Pow.SessionCache
%Demo.Pow.SessionCache{
invalidators: %{
"demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a" => #Reference<0.492836512.4277665794.251758>
}
}
# 14:54:42 #PID<0.667.0> IEx.Evaluator.init/4
# Demo.Pow.SessionCache.__struct__()
iex(42)> Process.read_timer(state.invalidators["demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a"])
1738994
from pow.
Ah, that was due to the user being updated
Updating a user with both pow_user_id_field_changeset/2 and
pow_password_changeset/2 in the changeset doesn't make any calls to the session cache process
So that works by comparing the user we get from the session cache with the user in db?
from pow.
Just had the timer go below 15 minutes
iex(57)> Process.read_timer(state.invalidators["demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a"])
894113
refreshed the page, and it the session was renewed. So it works, sorry. But I wonder what's the reasoning to only refresh if there is some activity in the latter half of the ttl?
from pow.
Cool, looking forward to see it working!
It's to prevent session hijacking. The session ID is rotated when session is renewed. The 15 minutes renewal TTL doesn't really have anything to do with the cache TTL, other than it should be less than what the cache TTL is.
from pow.
Also I wrote in #76 and #75 about how to build a custom cache module. It should be straight forward, the only caveat would be TTL with postgres, but can be dealt with by setting it up as a GenServer like I've done in the Mnesia cache store.
Let me know if you have any issues getting it to work!
from pow.
Hi @danschultzer, thank you for the responses. Yes, it is straightforward to build a custom cache module backed by postgres. The problems I had were due to my misunderstanding of the pow's functionality itself (session renewal, in particular).
How would session hijacking work over https?
from pow.
If used for all requests on the whole domain it should mitigate most risks. The renewal TTL limits the time window for exploit. It could also be changed to update on every single request rather than every 15 minutes. Iβm following best practise for Pow, but Iβm pretty light weight when it comes to understanding vulnerabilities and hardening (which often is case-by-case measures). So if you are interested in more in-depth understanding of risks I recommend you looking up articles from far more competent people π I have tried to keep Pow super flexible for security, so itβs easy to harden the system.
from pow.
Related Issues (20)
- ecto_sql 3.8.0 gives compilation error for generated user schema HOT 4
- Replacing Phoenix.Token with JWT-based for signing and verifiying of tokens HOT 1
- Unable to logout user in Pow API HOT 2
- Feature Request: Apple Passkeys HOT 1
- Pow.Plug.authenticate_user/1 performance HOT 2
- Reset password - test fails issue HOT 1
- Upgrading to Phoenix 1.7 HOT 5
- Create account without email/password using some unique ID?
- Phoenix 1.7 compilers warning HOT 1
- Maintain case when storing emails HOT 2
- Permissions issues with mnesia backend for Pow HOT 16
- Improve mix tasks
- Crash @missing_field? in Schema.ex HOT 1
- Inject values on registration HOT 2
- users_context seems to be ignored HOT 1
- Upgrading POW from 1.6 to 1.7 HOT 12
- Changeset errors into view HOT 1
- POW & LiveView - best way to implement `assigns.current_user` ? HOT 7
- Elixir 1.15 deprecation warnings HOT 1
- Persistence of stale session ids in MnesiaCache HOT 10
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pow.