Homec4science

Issue "anonymous" sessions for logged-out users

Authored by epriestley <git@epriestley.com> on Jan 23 2014, 23:03.

Description

Issue "anonymous" sessions for logged-out users

Summary:
Ref T4339. Ref T4310. Currently, sessions look like "afad85d675fda87a4fadd54", and are only issued for logged-in users. To support logged-out CSRF and (eventually) external user sessions, I made two small changes:

  • First, sessions now have a "kind", which is indicated by a prefix, like "A/ab987asdcas7dca". This mostly allows us to issue session queries more efficiently: we don't have to issue a query at all for anonymous sessions, and can join the correct table for user and external sessions and save a query. Generally, this gives us more debugging information and more opportunity to recover from issues in a user-friendly way, as with the "invalid session" error in this diff.
  • Secondly, if you load a page and don't have a session, we give you an anonymous session. This is just a secret with no special significance.

This does not implement CSRF yet, but gives us a client secret we can use to implement it.

Test Plan:

  • Logged in.
  • Logged out.
  • Browsed around.
  • Logged in again.
  • Went through link/register.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T4339

Differential Revision: https://secure.phabricator.com/D8043

Details

Committed
epriestley <git@epriestley.com>Jan 23 2014, 23:03
Pushed
aubortJan 31 2017, 17:16
Parents
rPH072741802350: Consolidate use of magical cookie name strings
Branches
Unknown
Tags
Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPH69ddb0ced631: Issue "anonymous" sessions for logged-out users (authored by epriestley <git@epriestley.com>).Jan 23 2014, 23:03