You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 30, 2023. It is now read-only.
Question regarding to auth.get_user_by_session when reusing the previous auth cookie after user logs out.
How to reproduce:
I have RequestHandler.session_store configured with backend='datastore'.
After login (with remember=True), capture the raw value of the auth cookie.
Logout by calling auth.unset_session(), which deletes the UserToken from server side.
Replace the auth cookie with the value captured in step 2.
Reload page and auth.get_user_by_session returns the previous logged in user.
Here are my findings:
auth.get_user_by_session invokes get_user_by_token which checks the cache and cache_ts first. The next step, token validation will be skipped if the cache_ts is valid.
--
So a valid client side auth cookie can be reused as long as the cache timestamp is valid and even the corresponding UserToken has been removed from server side.
Hi,
Question regarding to
auth.get_user_by_sessionwhen reusing the previousauthcookie after user logs out.How to reproduce:
RequestHandler.session_storeconfigured withbackend='datastore'.remember=True), capture the raw value of theauthcookie.auth.unset_session(), which deletes theUserTokenfrom server side.authcookie with the value captured in step 2.auth.get_user_by_sessionreturns the previous logged in user.Here are my findings:
auth.get_user_by_sessioninvokesget_user_by_tokenwhich checks thecacheandcache_tsfirst. The next step, token validation will be skipped if thecache_tsis valid.--
So a valid client side
authcookie can be reused as long as the cache timestamp is valid and even the correspondingUserTokenhas been removed from server side.Am I right? Did I miss anything?