Allow on-demand sessions #1852
Comments
|
@Mis1eader-dev I also have the same opinion. If enabling sessions is a framework wide feature but disabling it specifically for one particular client while the rest of the server enjoys the feature is possible, it would be helpful. Although I think it will introduce another layer of complexity and work because HTTP is stateless so how will the server disable sessions for such a client If the server can no longer even recognize the client the next time that one particular client comes back after clearing their sessions? My idea would be to let the client side indicate if they want sessions (i.e. they allow cookies) during an Authentication request. If they do, enable sessions. |
|
I have made a wrapper on top of Drogon for this purpose, although it is for WebSockets only at the moment. |
Is your feature request related to a problem? Please describe.
The developed server application may want to offer a session ID cookie only when the user is logged in, that way the server is not wasting its resources on a malicious client repeatedly clearing their cookies and refreshing the page.
Describe the solution you'd like
Have a public function that does the actual session generation, and have it get called where it is currently getting generated.
Then have a config option
"session_auto_generate": true, which does what it does currently, and if it is set to false, then the generator function will not get called automatically, it is up to the programmer to call that function, say in a/loginendpoint when correct credentials are passed in.Describe alternatives you've considered
Custom rewritten logic of sessions, but it introduces redundancies.
The text was updated successfully, but these errors were encountered: