ring-defaults icon indicating copy to clipboard operation
ring-defaults copied to clipboard
verified publisher icon ring-clojure

site-defaults leaks memory by default

Open miikka opened this issue 5 years ago • 2 comments

site-defaults enables both the session middleware and ring-anti-forgery. The session middleware leaks sessions by default and ring-anti-forgery uses sessions to store the anti-CSRF-tokens it creates. Thus, even if you don't use sessions yourself, ring-anti-forgery creates a session for every user and these sessions are never removed.

I'm not sure if there's a backwards-compatible way to fix it, or if it needs to be fixed in the first place, but I think it would be a good idea to at least document this.

miikka avatar Sep 28 '20 10:09 miikka

I believe the intent was for people to add in their own session store, but it might be reasonable to default to cookie stores. They're not perfect, but better than in-memory sessions in most ways.

weavejester avatar Sep 28 '20 21:09 weavejester

+1 for making the default safer. Most servers come with an expiring session in-memory store by default so this is not something that people will expect

antonmos avatar Aug 12 '21 16:08 antonmos