Plug.Conn.configure_session(conn, renew: true) - Does it do anything to the cookie store?

kuroda · August 4, 2021, 5:22am

While examining the source code generated by phx.gen.auth, I found a function in user_auth.ex:

  defp renew_session(conn) do
    conn
    |> configure_session(renew: true)
    |> clear_session()
  end

I removed |> configure_session (renew: true) to see how configure_session/2 works, but I didn’t see any change in the behavior of the application.

The official documentation describes the :renew option as follows:

:renew: When true, generates a new session id for the cookie

However, it seems that my browser cookie does not contain a session ID equivalent.
Perhaps this description is out of date and in fact this option has no effect on the cookie.

stefanchrobot · August 4, 2021, 7:10am

If I understand correctly, cookie-based sessions don’t use session IDs. Session ID is meant to be used by other session stores like Redis or database. See also ETS-based sessions and it’s implementation.

kuroda · August 4, 2021, 8:04am

@stefanchrobot

Thanks. If I use the ETS-based sessions, are the session IDs stored in the cookie?

stefanchrobot · August 4, 2021, 8:53am

Yes. The session ID is stored in the cookie and the content is stored in the ETS table. Note that:

We don’t recommend using this store in production as every session will be stored in ETS and never cleaned until you create a task responsible for cleaning up old entries.
Also, since the store is in-memory, it means sessions are not shared between servers. If you deploy to more than one machine, using this store is again not recommended.
This store, however, can be used as an example for creating custom storages, based on Redis, Memcached, or a database itself.