TMVCEngine.GetCurrentSession ignores TWebSession.IsExpired

Question

TMVCEngine.GetCurrentSession ignores TWebSession.IsExpired

fastbike opened this issue 4 years ago · comments

The class function TMVCEngine.GetCurrentSession ignores the implementation of the IsExpired virtual function in the actual web session item.
Current code at line 2465 is

      IsExpired := True;
      if List.TryGetValue(ASessionId, Result) then
        if (ASessionTimeout = 0) then
          IsExpired := MinutesBetween(Now, Result.LastAccess) > DEFAULT_SESSION_INACTIVITY
        else
          IsExpired := MinutesBetween(Now, Result.LastAccess) > ASessionTimeout;

But this should be

      IsExpired := True;
      if List.TryGetValue(ASessionId, Result) then
        IsExpired  := Result.IsExpired;

This allows the web session item to determine if the timeout has expired. E.g. when using an OAuth token to determine session lifetime

David Moorhouse · Answer 1 · Tue Apr 07 2020 10:54:33 GMT+0800 (China Standard Time)

SessionTimeout is a fixed value to be added to the time the session was last accessed, whereas with an OAuth controlled session, the "expiry time" is coded into the token and is not related to the last access time.

Daniele Teti · Answer 2 · Wed Apr 08 2020 19:06:34 GMT+0800 (China Standard Time)

The session is just the good-old session mantained with the session cookie. OAuth or JWT "session" is just recreated from the info contained in the token after the token validation. Did I miss something?

David Moorhouse · Answer 3 · Fri Apr 10 2020 05:45:39 GMT+0800 (China Standard Time)

I'm using a TWebSession descendant which stores the OAuth token expiry time and uses that to provide the result in the overridden IsExpired session function. Most places in the code call the IsExpired function but the code I have highlighted does not, so any custom implementation of session expiry is by passed.

You mention JWT and OAuth, is there an existing implementation I have missed ?

Daniele Teti · Answer 4 · Sat Apr 11 2020 18:38:31 GMT+0800 (China Standard Time)

DMVCFramework provides a fully compatible JWT implementation out of the box. If you have all the OAuth machinery in place, creating a middleware to support OAuth is a matter of hours using the implementation for JWT provided in the unit sources\MVCFramework.Middleware.JWT.pas

David Moorhouse · Answer 5 · Sun Apr 12 2020 11:09:30 GMT+0800 (China Standard Time)

I do have a custom middleware that supports OAuth.
My JWT token is being issued by a third party Identity Provider (IP). That IP controls the session expiry time, not the session lifetime I have configured in the DMVC configuration. My session descendant class compares the current date/time against the token's "exp" claim to return IsExpired.
So the MVC Engine code needs to read the IsExpired from this class rather than the current implementation that uses a hard coded algorithm which ignores the algorithmin coded into the session descendant.

Daniele Teti · Answer 6 · Sun Apr 12 2020 18:38:40 GMT+0800 (China Standard Time)

It should be fixed (all unit tests pass). Please let me know if works in your case.

David Moorhouse · Answer 7 · Mon Apr 13 2020 13:01:47 GMT+0800 (China Standard Time)

Very nice improvement, many thanks for working with me.