-
Notifications
You must be signed in to change notification settings - Fork 21
Sessions
This page provides an overview of how session management is handled in version 1.2.
When a new session is created, a phauxth_session_id is added to the Plug session.
At the same time, the session id is added to a map called sessions in the users table
in the database. Each session is a key in the map, and the value is the timestamp of when
the session was created.
- It is easier to track and gather information about individual sessions.
- It is easier to invalidate individual sessions. One example can be seen in the
example app, in the
update_passwordfunction, where all of the existing sessions are deleted / invalidated. This means that after updating a password, the user has to login with the new password. - It is a lot more difficult for an attacker to create a cookie with a valid session id.
The default length of each session is 4 hours. You can change this by calling Phauxth.Authenticate
with the max_age option (the example below sets it to 1 hour):
plug Phauxth.Authenticate, max_age: 3600The Phauxth.Authenticate module has a fresh_session?/1 function, which shows whether the session
was created from logging in (fresh), or if the session was added as part of the 'remember me' process (stale).
This can be used to prevent users accessing sensitive resources while using a persistent cookie.
The Accounts module contains a remove_old_sessions/1 function, which needs to be run regularly to
remove all the expired sessions from the database. This is needed because although the session is deleted when a user logs out, many users will just let the session expire without logging out.