Administrating sessions

[aranvir]

Hi, I'm trying to figure out if it's possible to administrate server side sessions, e.g. to invalidate all sessions of a user account that has been deactivated or add session data of that user without a user request.

From this question I take it that this is not possible (or only partially -> delete 1 or all sessions), but since this is a few months old I wondered if that has changed since then.

My best take on this is as follows:

• Make the session_store and the session_backend available globally as an app dependency
• On successful login, store session id and user id in separate storage (memory, redis, database, whatever)
• Whenever an administrative change to user sessions is necessary, get all session id's for the corresponding user id
  • Loop the user's session id's and get the session data from the session_store
  • Delete the session or change the session data (using the session_backend for serialization and deserialization)
• On app shutdown, delete all user sessions for clean-up

Using the combination of session_store and session_backend seems a bit awkward to me, so this made me skeptical if this is the right approach. But maybe it's just like that because editing "global session" data is not the preferred use case since for most situations request.session.get and request.session.set would be sufficient (getting/setting user session data based on a user request).

Another thing: I think it would be useful if request.session.set would return the session id (instead of having to fetch it from the cookies afterwards).

(This snippet misses the data models but should not matter for the question)

class UserController(Controller):
    @post("/login", return_dto=UserReadDTO, status_code=litestar.status_codes.HTTP_200_OK)
    async def login(
            self,
            data: UserLogin,
            request: Request[Any, Any, Any],
    ) -> User:
        """Authenticate the user and initialize the user session."""
        async with AsyncSession(sqlalchemy_config.get_engine()) as session:
            async with session.begin():
                user: Optional[User] = await session.scalar(
                    select(User).where(User.name == data.name))
                )
                if user is None:
                    raise exceptions.NotFoundException("Returned None. Unknown user name.")
                if not verify_password(data.pw.get_secret_value(), user.hashed_pw):
                    raise exceptions.NotAuthorizedException("Wrong credentials.")

                # Associate user data with current session
                # For a server side session this data will NOT be visible to the user.
                # The user only sees the session id
                request.set_session(
                    {"user_id": user.id, "clearance": user.secret_clearance}
                )
                session_id = request.cookies.get("session")
                logger.info(f"{request.cookies}")
                logger.info(f"Session id: {session_id}")
                logger.info(f"Session content: {request.session}")

                session_exists = await session.scalar(
                    select(UserSession.session_id).where(UserSession.user_id == user.id, UserSession.session_id == session_id))
                logger.info(f"Session exists: {session_exists}")
                if session_exists is None:
                    user_session = UserSession(
                        session_id=session_id,
                        user_id=user.id
                    )
                    session.add(user_session)

                session.expunge(user)  # free instance from sqlalchemy session
                logger.info("User logged in!")
                return user

    @post("/change-clearance")
    async def change_clearance(self, data: ChangeClearance, session_store: Store) -> None:
        logger.info(f"Received request to change clearance for {data.name} to {data.new_clearance}")
        async with AsyncSession(sqlalchemy_config.get_engine()) as session:
            async with session.begin():
                user: Optional[User] = await session.scalar(
                    select(User).where(User.name == data.name)
                )
                if user is None:
                    raise exceptions.NotFoundException("Returned None. Unknown user name.")
                user.secret_clearance = data.new_clearance

                user_sessions = await session.scalars(select(UserSession.session_id).where(UserSession.user_id == user.id))
                user_sessions = [ses for ses in user_sessions]
                logger.info(f"Active sessions: {len(user_sessions)}")
                for user_session_id in user_sessions:
                    encoded_session = await session_store.get(user_session_id)
                    session_data = session_backend.deserialize_data(encoded_session)
                    logger.info(f"Old: Session {user_session_id} | Data [{type(session_data)}] {session_data}")
                    session_data["clearance"] = data.new_clearance
                    await session_store.set(user_session_id, session_backend.serialize_data(session_data))
                    encoded_session = await session_store.get(user_session_id)
                    session_data = session_backend.deserialize_data(encoded_session)
                    logger.info(f"New: Session {user_session_id} | Data [{type(session_data)}] {session_data}")

App setup (this misses the database setup and the user model but should cover the relevant aspects for this question):

session_config = ServerSideSessionConfig()
session_auth = SessionAuth[User, ServerSideSessionBackend](
    retrieve_user_handler=retrieve_user_handler,  # Retrieves user from database
    session_backend_config=session_config,
    # exclude any URLs that should not have authentication.
    # /login - authentication process
    # /schema - api documentation
    exclude=["/login", "/schema"],
)


async def session_store(request: Request) -> Store:
    return request.app.stores.get("sessions")

async def get_session_backend() -> BaseSessionBackend:
    return session_auth.session_backend

app = Litestar(
    route_handlers=[
        UserController,
    ],
    on_startup=[db_config.on_startup],
    on_shutdown=[db_config.invalidate_sessions],
    on_app_init=[session_auth.on_app_init],
    dependencies={
        "session_store": Provide(session_store),
        "session_backend": Provide(get_session_backend)
    },
    stores={"sessions": MemoryStore()},
    plugins=[db_config.sqlalchemy_plugin],
    debug=True
)

[provinzkraut]

e.g. to invalidate all sessions of a user account that has been deactivated or add session data of that user without a user request.

It's not not possible, it's just that Litestar does not have the concept of a user account. It can store session data for you and handle authentication, but you'll have to provide the user management logic yourself.

The easiest way to go about this would be to simply go into the session store, fetch all the user sessions and check if they need to be invalidated and then delete them from the store.

I would recommend against duplicating the session logic in your database, since storing this data in 2 places leads to synchronisation issues you'll then have to take care of, e.g. what is the source of truth in case there's a conflict?

An alternative would be to implement a store yourself that acts as your session store but is backed by the database. Functionally, this would make querying easier, but to be honest, unless you're expecting to deal with a massive amount of users (think north of a few hundred thousand), there will be no problem just checking the sessions individually if you're using Redis and especially not the MemoryStore.

[provinzkraut]

Pretty much, yeah

[aranvir]

Coming back to this now, since I actually want to try this. The use case is: User accounts can be disabled and that should invalidate all sessions. The state is stored in the user data in the database, so new sessions can only be opened if the user account is enabled.

I don't think it's possible right now to fetch all data stored in a store right? Or at least all keys or something like that. So, what would be a good way to approach this? I thought about talking to the redis instance directly and trying to get the data from the namespace set by the session store.. but that is then a redis specific solution only. Would not work for other stores (e.g., for local development I still use the MemoryStore just because it's easier to setup).

Would it make sense to add a get_all_session_keys() method to the Store base class, or am I approaching the problem from the wrong angle?

[provinzkraut]

Would it make sense to add a get_all_session_keys() method to the Store base class, or am I approaching the problem from the wrong angle?

Not really, since the stores aren't specific to the sessions. The stores are just key/value stores.

I think you're approaching this from a wrong angle though.

User accounts can be disabled and that should invalidate all sessions.

Typically, you'd do this during the authorisation process. You shouldn't rely on the session's presence to determine whether or not a user is authorised to perform some action. Usually, you'd do something like

async def authorized(user: User) -> None:
  if user.disabled:
    terminate_user_session(user)
    raise NotAuthorized()

[aranvir]

I see, yea, I think I misunderstood how this is generally handled, as I never worked with sessions in general before. So, this is my first time implementing this.

So, initially I thought that for this case, I'd need to have the retrieve_user_handler to query the database. Meaning, each time a request is being handled, a query is sent to get the latest state. If the user account has been disabled, I can invalidate the session that was used for the request and return the corresponding error response.

Is that the correct(er) approach? I thought I could speed that up by mirroring the user data into the session data but I probably mixed caching and sessions in a bad way. So, better to have sessions only contain data to that relevant user session (whatever it may be) and have user account state at a reliable source (cache or database)?

[provinzkraut]

That's a decent summary, yes!

[aranvir]

Might be a "stupid" question but I feel like seeing ghosts because something stopped working that worked the whole time the last days:

On login, when there is no user session yet, calling request.set_session(...) will write data to the session but the session id will only be created by the middleware when sending the response, right? So, I could not even store the session id as suggested above because it does not exist in the scope of my login function - it's only created when that function passed without error and the Middleware takes care of wrapping the response.

[provinzkraut]

Yeah, that seems about right. IMO this should be changed though: If we have the session middleware installed, it should create a session ID right away and also make it available somehow to reference. If you want, you can create an issue for that.

[aranvir]

Done: #3116