Difference between revisions for Users / Eo Ny




← Previous edit
Next edit →

Version1 Version2
1 == Session Management Technical Documentation == 1 == Session Management Technical Documentation ==
2 {{toc numerate=1}} 2 {{toc numerate=1}}
    3
3 === Overview === 4 === Overview ===
4 5
5 The ##Session## class is an abstract session management system for WackoWiki that extends ##ArrayObject## to provide secure, configurable session handling. It implements sophisticated security features including session ID regeneration, anti-replay protection, nonce verification, and user agent/IP validation. 6 The ##Session## class is an abstract session management system for WackoWiki that extends ##ArrayObject## to provide secure, configurable session handling. It implements sophisticated security features including session ID regeneration, anti-replay protection, nonce verification, and user agent/IP validation.
1712 1713
1713 === Performance Considerations === 1714 === Performance Considerations ===
1714 1715
1715 ==== Optimization Tips ==== 1716 ====Optimization Tips====
1716   1. **Minimize Session Writes:** 1717   1. **Minimize Session Writes:**
1717   - Session data only written during ##write_close()## or regeneration 1718     - Session data only written during ##write_close()## or regeneration
1718   - No unnecessary serialization during reads 1719     - No unnecessary serialization during reads
1719   2. **Garbage Collection:** 1720   2. **Garbage Collection:**
1720   - Probabilistic GC (based on ##cf_gc_probability##) 1721     - Probabilistic GC (based on ##cf_gc_probability##)
1721   - Only runs on ~2% of requests by default 1722     - Only runs on ~2% of requests by default
1722   - Customize based on your session volume 1723     - Customize based on your session volume
1723   3. **Nonce Cleanup:** 1724   3. **Nonce Cleanup:**
1724   - Expired nonces automatically removed on verification 1725     - Expired nonces automatically removed on verification
1725   - Verified nonces removed from storage 1726     - Verified nonces removed from storage
1726   - No manual cleanup needed 1727     - No manual cleanup needed
1727   4. **Session ID Validation:** 1728   4. **Session ID Validation:**
1728   - Regex-based validation is fast 1729     - Regex-based validation is fast
1729   - No database lookup needed 1730     - No database lookup needed
1730   5. **Caching Strategy:** 1731   5. **Caching Strategy:**
1731   - Cache expensive lookups between session operations 1732     - Cache expensive lookups between session operations
1732   - Session data loaded once per request 1733     - Session data loaded once per request
1733 1734
1734 ==== Benchmarks ==== 1735 ==== Benchmarks ====
1735 1736
1806 1807
1807 ---- 1808 ----
1808 1809
1809 === TODO Items (From Code Comments) === 1810 ===TODO Items (From Code Comments)===
1810    
1811 The following improvements are planned: 1811 The following improvements are planned:
1812   1. **Do not store session ID in filename or DB index - store hash instead** 1812   1. **Do not store session ID in filename or DB index - store hash instead**
1813   - Improves security by not exposing IDs in storage layer 1813     - Improves security by not exposing IDs in storage layer
1814   - Would require hashing logic in store_* methods 1814     - Would require hashing logic in store_* methods
1815   2. **Log of IP changes and other possible security alerts** 1815   2. **Log of IP changes and other possible security alerts**
1816   - Track ##sticky__ip## changes more comprehensively 1816     - Track ##sticky__ip## changes more comprehensively
1817   - Create security audit trail 1817     - Create security audit trail
1818   3. **Allocate internal unique session which lives through lifetime of uber-session** 1818   3. **Allocate internal unique session which lives through lifetime of uber-session**
1819   - Multi-session management (parent/child sessions) 1819     - Multi-session management (parent/child sessions)
1820   - Useful for complex user flows 1820     - Useful for complex user flows
1821   4. **Do not delete old sessions, but use them as hijack pointers** 1821   4. **Do not delete old sessions, but use them as hijack pointers**
1822   - Maintain session history for analysis 1822     - Maintain session history for analysis
1823   - Detect potential session hijacking patterns 1823     - Detect potential session hijacking patterns
1824   - Implement session relationship tracking 1824     - Implement session relationship tracking
1825   5. **All SIDs used later than ~5secs of regenerations is hijacks** 1825   5. **All SIDs used later than ~5secs of regenerations is hijacks**
1826   - Detect and block delayed session ID usage 1826     - Detect and block delayed session ID usage
1827   - Current implementation allows 5-second window 1827     - Current implementation allows 5-second window
1828   - Could be more granular 1828     - Could be more granular
1829 1829
1830 ---- 1830 ----
1831 1831
1852 1852
1853 ---- 1853 ----
1854 1854
1855 === Version History === 1855 ===Version History===
1856   - **Current**: Abstract session class with security features 1856   - **Current**: Abstract session class with security features
1857   - **Planned**: Implementation of TODO items above 1857   - **Planned**: Implementation of TODO items above
1858 1858
1859 ---- 1859 ----
1860   *Documentation generated: 2026-05-05* 1860 **Documentation generated: 2026-05-05**
1861   *For latest updates, see: https://github.com/Trojer/wackowiki/blob/main/docs/SESSION_DOCUMENTATION.md* 1861 **For latest updates, see: https://github.com/Trojer/wackowiki/blob/main/docs/SESSION_DOCUMENTATION.md**