Menu
I'm using redis as a session store,
Storing sessions like so
[NameSpace]:[UniqueId] -> [email_id]
when a user resets their password, how do I invalidate all the sessions of that user ?
Here are the solutions I came up with,
Store sessions like so
[NameSpace]:[UniqueId]-[email_id] -> [email_id]
Then I can use SCAN MATCH to delete all the keys when the user resets the password.
After storing sessions like
[NameSpace]:[UniqueId] -> [email_id]
Maintain a separate list with
[NameSpace2]:[email_id] -> [ "[UniqueId]", "[UniqueId]" ]
and invalidate the sessions using the list. (I can use redis namespace pubsub to maintain the validity of the above list)
[UniqueId]-[email_id] in the cookie ? PS: I'm aware that there is a similar question but I felt that it was noisy and geared towards express.js instead of being generic for redis and user-sessions. (Invalidating all of a single user's sessions in express.js)
919
Maintain a set of all user sessions
[NameSpace]:[email_id] -> {}
Each session identifier is a value in the set. If you'd like to store session attributes use a map sessionIdentifier1 -> sessionProperties1 (lookup and deletion costs are the same)
[NameSpace]:[email_id] -> {sessionIdentifier1 , sessionIdentifier2}
Bulk session invalidation - Delete the key [NameSpace]:[email_id]. Cost O(1).
Looking up a sessionIdentifier - SISMEMBER sessionIdentifier1 of the key [NameSpace]:[email_id]. Cost O(1).
Are there any security issues with storing the session-id like [UniqueId]-[email_id] in the cookie ?
It depends. If the cookie is not HttpOnly it would allow malicious JS to read that cookie through a XSS vulnerability. You could leave yourself open to phishing attacks. You can use the user's internal UUID instead.
65
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
