Sessions can end mysteriously #1363
Comments
|
I'm wondering if maybe an old TWISTED_SESSION cookie value is being maintained in the browser sometimes |
|
I think the issue is our over-reliance on the TWISTED_SESSION cookie. That cookie gets set on login, and then it's the only token used to authenticate all future requests to the server. If the server restarts, or if that session expires, then the user will be forced to log in again. Really we should be acquiring an "Authorization: Bearer"-style JWT upon login, and caching it in local cache (this is what Clubhouse does). Then, on all authenticated requests to the server, we'd pass along the Authorization header to tell the server who we are. The benefit to this is that if the Twisted Session doesn't exist (e.g. because of server restart), then a new session can be created automatically, without another login, so long as the JWT is still valid. |
|
One thing to add is that I needed to make this tweak locally in checkAuthentication to get my request to produce a session if no session yet existed. diff --git a/src/ims/auth/_provider.py b/src/ims/auth/_provider.py
index 2e5683f9..a64d0af9 100644
--- a/src/ims/auth/_provider.py
+++ b/src/ims/auth/_provider.py
@@ -330,6 +330,11 @@ class AuthProvider:
authorization = request.getHeader(HeaderName.authorization.value)
user = self._userFromBearerAuthorization(authorization)
+ if user is not None:
+ sess = request.getSession()
+ if sess:
+ sess.user = user
+
if user is None:
session = request.getSession()
user = getattr(session, "user", None) |
I sometimes seem to get logged out for no reason. This happens on prod as well as on staging and local. I want to dig into this.
The text was updated successfully, but these errors were encountered: