👋 The credentials and session are renewed after

Just had the timer go below 15 minutes <div class="snippet-clipboard-content notra

Also I wrote in <a class="issue-link js-issue-link" data-error-text="Failed to load ti

Hi <a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="

Questions about session cache. about pow HOT 7 CLOSED

pow-auth commented on May 9, 2024

Questions about session cache.

from pow.

Comments (7)

commented on May 9, 2024

It seems like the session in the cache is getting renewed if there is any activity after 15 minutes, not during the whole 30 of the TTL? The following is what happens when I make the request to a page when I have 900000 ms left for the timer.

iex(38)> [info] GET /rooms/810fa5

[debug] Processing with DemoWeb.RoomController.show/2
  Parameters: %{"id" => "810fa5"}
  Pipelines: [:browser, :logged_in]

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.get([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache._get([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.delete([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.handle_cast({:delete, [ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657"}, %Demo.Pow.SessionCache{invalidators: %{"demo_bbf48417-285a-4a14-bf0d-335e2b0fc657" => #Reference<0.492836512.4277665794.247912>}})

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._delete([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.put([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563})

[debug] QUERY OK source="sessions" db=2.4ms queue=0.5ms
UPDATE "sessions" AS s0 SET "expired_at" = now() WHERE (s0."key" = $1) ["credentials:demo_bbf48417-285a-4a14-bf0d-335e2b0fc657"]
INSERT INTO "sessions" AS s0 ("key","user_id","value") VALUES ($1,$2,$3) ON CONFLICT ("key") DO UPDATE SET "user_id" = $4, "value" = $5, "expired_at" = $6 ["credentials:demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", 4, <<131, 104, 2, ...>>, nil]

[info] Sent 200 in 21ms

# 14:53:42 #PID<0.813.0> :cowboy_stream_h.request_process/3
# Demo.Pow.SessionCache.delete([ttl: 1800000, namespace: "credentials"], nil)

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.clear_invalidator(%{"demo_bbf48417-285a-4a14-bf0d-335e2b0fc657" => #Reference<0.492836512.4277665794.247912>}, "demo_bbf48417-285a-4a14-bf0d-335e2b0fc657")

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.handle_cast({:cache, [ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563}}, %Demo.Pow.SessionCache{invalidators: %{}})

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._update([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563}, [update_db?: true])

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._key([ttl: 1800000, namespace: "credentials"], "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache._db_insert("credentials:demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a", {%Demo.Accounts.User{}, 1549292022563})

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.update_invalidators([ttl: 1800000, namespace: "credentials"], %{}, "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")

# 14:53:42 #PID<0.666.0> (Demo.Pow.SessionCache)
# Demo.Pow.SessionCache.clear_invalidator(%{}, "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a")


iex(41)> state = :sys.get_state Demo.Pow.SessionCache
%Demo.Pow.SessionCache{
  invalidators: %{
    "demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a" => #Reference<0.492836512.4277665794.251758>
  }
}

# 14:54:42 #PID<0.667.0> IEx.Evaluator.init/4
# Demo.Pow.SessionCache.__struct__()
iex(42)> Process.read_timer(state.invalidators["demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a"])
1738994

from pow.

commented on May 9, 2024

Ah, that was due to the user being updated

Updating a user with both pow_user_id_field_changeset/2 and
pow_password_changeset/2 in the changeset doesn't make any calls to the session cache process

So that works by comparing the user we get from the session cache with the user in db?

from pow.

commented on May 9, 2024

Just had the timer go below 15 minutes

iex(57)> Process.read_timer(state.invalidators["demo_7f88ab17-f7d1-4e2f-ac43-0527792e696a"])
894113

refreshed the page, and it the session was renewed. So it works, sorry. But I wonder what's the reasoning to only refresh if there is some activity in the latter half of the ttl?

from pow.

danschultzer commented on May 9, 2024

Cool, looking forward to see it working!

It's to prevent session hijacking. The session ID is rotated when session is renewed. The 15 minutes renewal TTL doesn't really have anything to do with the cache TTL, other than it should be less than what the cache TTL is.

from pow.

danschultzer commented on May 9, 2024

Also I wrote in #76 and #75 about how to build a custom cache module. It should be straight forward, the only caveat would be TTL with postgres, but can be dealt with by setting it up as a GenServer like I've done in the Mnesia cache store.

Let me know if you have any issues getting it to work!

from pow.

commented on May 9, 2024

Hi @danschultzer, thank you for the responses. Yes, it is straightforward to build a custom cache module backed by postgres. The problems I had were due to my misunderstanding of the pow's functionality itself (session renewal, in particular).

How would session hijacking work over https?

from pow.

danschultzer commented on May 9, 2024

If used for all requests on the whole domain it should mitigate most risks. The renewal TTL limits the time window for exploit. It could also be changed to update on every single request rather than every 15 minutes. I’m following best practise for Pow, but I’m pretty light weight when it comes to understanding vulnerabilities and hardening (which often is case-by-case measures). So if you are interested in more in-depth understanding of risks I recommend you looking up articles from far more competent people 😀 I have tried to keep Pow super flexible for security, so it’s easy to harden the system.

from pow.

Questions about session cache. about pow HOT 7 CLOSED

Comments (7)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent