lua-resty-session icon indicating copy to clipboard operation
lua-resty-session copied to clipboard
verified publisher icon bungle

Understanding how session check parameters work

Open sagivoulu opened this issue 4 years ago • 3 comments

I am using lua resty session in an api gateway I am implementing, & I want to include some security features that will block a user from stealing another users session. I found in the documentation these fields that seem to do what I want:

  • session.check.ssi
  • session.check.ua
  • session.check.addr
  • session.check.schema But I am not quite sure how do they work... I couldn't find any segment in the lua-resty-session code that validates the request with these checks...

Can someone explain to me how & where does lua-resty-session actually check that the request came from the same ssl session / user agent / client address / schema?

And what happens if a request does not match one of these parameters?

sagivoulu avatar Jul 01 '21 05:07 sagivoulu

https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session.lua#L583-L588

bungle avatar Aug 05 '21 15:08 bungle

And you can see usage here: https://github.com/bungle/lua-resty-session/blob/master/lib/resty/session/strategies/default.lua#L31-L39

bungle avatar Aug 05 '21 15:08 bungle

would it be possible to get feedback from from session.present as to why a session is not present? EX: tampered cookie, user agent switch, etc...

ne4u avatar Oct 30 '22 21:10 ne4u