Cookie not updated when using carmine.store for sessions about luminus HOT 11 CLOSED

If you're using noir.util.middleware/app-handler then it will apply all the necessary middleware, such as wrap-noir-session for you. The default template should create a handler that looks something like the following:

(def app (app-handler
           ;; add your application routes here
           [home-routes app-routes]
           ;; add custom middleware here
           :middleware [middleware/template-error-page
                        middleware/log-request
                        middleware/wrap-exceptions]
          :session-options {:timeout 10
                            :timeout-response (response/redirect "/")}
           ;; add access rules here
           :access-rules []
           ;; serialize/deserialize the following data formats
           ;; available formats:
           ;; :json :json-kw :yaml :yaml-kw :edn :yaml-in-html
           :formats [:json-kw :edn]))

from luminus.

Yes, I'm using the template and app-handler, it generated a similar handler, I've only changed session storage:

(def app
 (app-handler
   [cljs-routes auth-routes home-routes app-routes]
   :middleware [middleware/template-error-page middleware/log-request]
   :access-rules []
   :formats [:json-kw :edn]
   :session-options 
    {:cookie-name "myapp-session" 
     :cookie-attrs {:max-age (* 60 60 24 30)} 
     :store (if (:use_redis (config)) 
              (carmine-store redis-conn {:key-prefix "myapp", :expiration-secs (* 60 60 24 30)}) 
              (cookie-store))}))

Yet the session cookie is sent only once at login :(

from luminus.

I'm not able to reproduce the issue locally, when I check the request headers in Chrome I see the Set-Cookie header on each request that looks as follows:

Set-Cookie:myapp-session=YuldGl%2Foym9f1aTzb83qS2Iso%2Bsu5o1CnmVq2QYhC550d24NWGWdW2DHsh5eRsqdo%2FHZRjYP%2FCjialhhGfMA5o6BGevkhD5nYu91zI5isiw%3D--Ztg46rWAQ0hEtFydUe6Qn%2F9sPN2HAlBir8RI4OQ%2Byt4%3D;Max-Age=2592000;Path=/;HttpOnly

from luminus.

Really strange, I can reproduce it locally (not using carmine-store). I can give you access to the source code if you want to investigate it further

from luminus.

Ah I think I found the difference, the latest template sets the session timeout as well:

{:timeout (* 60 30)
 :timeout-response (redirect "/")
 :cookie-name "myapp-session" 
 :cookie-attrs {:max-age (* 60 60 24 30)} 
 :store (cookie-store)}

Apparently that forces the cookie to be sent each time.

from luminus.

Unfortunately it's not the answer :( I even tried replacing my whole session-options with the above code but no luck, only the POST request to /login is sending the cookie in the response

from luminus.

I'm really not sure then, it does sound like an issue with Ring session store though more than luminus itself. All the template does is wrap the handler with the middleware. Since I don't maintain Ring session middleware my knowledge there is a bit limited.

from luminus.

Thanks a lot for trying anyway, do you have any tips on how could I be sure that wrap-(noir)-session is called?

from luminus.

You can see al the default middleware that gets applied by the app-handler here.

from luminus.

So I had a discussion with the owner of ring.core. It turns out ring is not re-sending the session cookie if the session data hasn't changed, which actually makes sense. It seems that I need to come up with my own solution for proper renewing auth-focused session cookies. Thanks a lot for your help!

from luminus.

Thanks for following up, good to know that's what was happening.

from luminus.