Difference between revisions for Users / Eo Ny
|
← Previous edit
|
Next edit →
|
| Version1 | Version2 | ||
|---|---|---|---|
| 1 | == Session Management Technical Documentation == | 1 | == Session Management Technical Documentation == |
| 2 | {{toc numerate=1}} | 2 | {{toc numerate=1}} |
| 3 | |||
| 3 | === Overview === | 4 | === Overview === |
| 4 | 5 | ||
| 5 | The ##Session## class is an abstract session management system for WackoWiki that extends ##ArrayObject## to provide secure, configurable session handling. It implements sophisticated security features including session ID regeneration, anti-replay protection, nonce verification, and user agent/IP validation. | 6 | The ##Session## class is an abstract session management system for WackoWiki that extends ##ArrayObject## to provide secure, configurable session handling. It implements sophisticated security features including session ID regeneration, anti-replay protection, nonce verification, and user agent/IP validation. |
| … | … | … | … |
| 1712 | 1713 | ||
| 1713 | === Performance Considerations === | 1714 | === Performance Considerations === |
| 1714 | 1715 | ||
| 1715 |
==== |
1716 | ====Optimization Tips==== |
| 1716 | 1. **Minimize Session Writes:** | 1717 | 1. **Minimize Session Writes:** |
| 1717 |
|
1718 | - Session data only written during ##write_close()## or regeneration |
| 1718 |
|
1719 | - No unnecessary serialization during reads |
| 1719 | 2. **Garbage Collection:** | 1720 | 2. **Garbage Collection:** |
| 1720 |
|
1721 | - Probabilistic GC (based on ##cf_gc_probability##) |
| 1721 |
|
1722 | - Only runs on ~2% of requests by default |
| 1722 |
|
1723 | - Customize based on your session volume |
| 1723 | 3. **Nonce Cleanup:** | 1724 | 3. **Nonce Cleanup:** |
| 1724 |
|
1725 | - Expired nonces automatically removed on verification |
| 1725 |
|
1726 | - Verified nonces removed from storage |
| 1726 |
|
1727 | - No manual cleanup needed |
| 1727 | 4. **Session ID Validation:** | 1728 | 4. **Session ID Validation:** |
| 1728 |
|
1729 | - Regex-based validation is fast |
| 1729 |
|
1730 | - No database lookup needed |
| 1730 | 5. **Caching Strategy:** | 1731 | 5. **Caching Strategy:** |
| 1731 |
|
1732 | - Cache expensive lookups between session operations |
| 1732 |
|
1733 | - Session data loaded once per request |
| 1733 | 1734 | ||
| 1734 | ==== Benchmarks ==== | 1735 | ==== Benchmarks ==== |
| 1735 | 1736 | ||
| … | … | … | … |
| 1806 | 1807 | ||
| 1807 | ---- | 1808 | ---- |
| 1808 | 1809 | ||
| 1809 | === TODO Items (From Code Comments) === | 1810 | ===TODO Items (From Code Comments)=== |
| 1810 | |||
| 1811 | The following improvements are planned: | 1811 | The following improvements are planned: |
| 1812 | 1. **Do not store session ID in filename or DB index - store hash instead** | 1812 | 1. **Do not store session ID in filename or DB index - store hash instead** |
| 1813 |
|
1813 | - Improves security by not exposing IDs in storage layer |
| 1814 |
|
1814 | - Would require hashing logic in store_* methods |
| 1815 | 2. **Log of IP changes and other possible security alerts** | 1815 | 2. **Log of IP changes and other possible security alerts** |
| 1816 |
|
1816 | - Track ##sticky__ip## changes more comprehensively |
| 1817 |
|
1817 | - Create security audit trail |
| 1818 | 3. **Allocate internal unique session which lives through lifetime of uber-session** | 1818 | 3. **Allocate internal unique session which lives through lifetime of uber-session** |
| 1819 |
|
1819 | - Multi-session management (parent/child sessions) |
| 1820 |
|
1820 | - Useful for complex user flows |
| 1821 | 4. **Do not delete old sessions, but use them as hijack pointers** | 1821 | 4. **Do not delete old sessions, but use them as hijack pointers** |
| 1822 |
|
1822 | - Maintain session history for analysis |
| 1823 |
|
1823 | - Detect potential session hijacking patterns |
| 1824 |
|
1824 | - Implement session relationship tracking |
| 1825 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** | 1825 | 5. **All SIDs used later than ~5secs of regenerations is hijacks** |
| 1826 |
|
1826 | - Detect and block delayed session ID usage |
| 1827 |
|
1827 | - Current implementation allows 5-second window |
| 1828 |
|
1828 | - Could be more granular |
| 1829 | 1829 | ||
| 1830 | ---- | 1830 | ---- |
| 1831 | 1831 | ||
| … | … | … | … |
| 1852 | 1852 | ||
| 1853 | ---- | 1853 | ---- |
| 1854 | 1854 | ||
| 1855 |
=== |
1855 | ===Version History=== |
| 1856 | - **Current**: Abstract session class with security features | 1856 | - **Current**: Abstract session class with security features |
| 1857 | - **Planned**: Implementation of TODO items above | 1857 | - **Planned**: Implementation of TODO items above |
| 1858 | 1858 | ||
| 1859 | ---- | 1859 | ---- |
| 1860 |
|
1860 | **Documentation generated: 2026-05-05** |
| 1861 |
|
1861 | **For latest updates, see: https://github.com/Trojer/wackowiki/blob/main/docs/SESSION_DOCUMENTATION.md** |