SynLotto/website
1
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects 5 Releases Wiki Activity

Enhance Session Configuration Validation, Idle Timeout Enforcement, and Store Behavio #17

New Issue
Open
opened 2025-10-29 08:07:51 +00:00 by H3ALY · 0 comments
H3ALY commented 2025-10-29 08:07:51 +00:00
Owner
Copy Link

Description:
The SCS session manager is initialized successfully and works with the current authentication flows. However, several pieces of functionality rely on conventions or defaults rather than explicit configuration, creating opportunities for subtle session-related issues in future development.

Improving session lifecycle handling, enforcing correct configuration values, and expanding the store options will further stabilize authentication behavior and security posture.

Current Behavior (observed in code):

Duration strings parsed without validation — silently fall back on defaults

Idle timeout settings depend on external middleware to refresh access

Cookie secure attributes tied solely to ProductionMode

In-memory session storage currently used by default (scs.New() store)

"Remember Me" logic partially implemented; rotation pending

Why this matters:

Ensures predictable security — particularly around idle timeouts and secure cookie policies

Enables future server scaling (remote store support)

Supports access control/security roadmap (admin flows, audit)

Prevents session abuse from misconfigurations

Scope of Work:
Validate all duration settings at load time with clear errors
Add logging/warnings when config values fallback to defaults
Fully enforce idle timeout with tests validating middleware behavior
Expand cookie policy options (e.g., Persistent, Strict SameSite optional)
Allow secure session store configuration (file, DB, Redis)
Complete and validate Remember-Me token rotation behavior
Unit tests for session cookie flags + expiration behavior

Non-Goals:

No change to existing auth UX beyond stability/security fixes

No migration off SCS

Risks / Mitigations:

Low: Mainly configuration and validation behavior changes
Mitigation: Deploy incrementally with logging before enforcing failures

Acceptance Criteria:
Startup fails fast if duration fields invalid
Idle timeouts verified via tests (automatic expiry)
Session cookies respect secure settings based on environment
Remote store option documented + bootstrap-ready
Remember-Me rotation tested & replay-proof

Effort Estimate:
Medium (2–4 dev days)

Description: The SCS session manager is initialized successfully and works with the current authentication flows. However, several pieces of functionality rely on conventions or defaults rather than explicit configuration, creating opportunities for subtle session-related issues in future development. Improving session lifecycle handling, enforcing correct configuration values, and expanding the store options will further stabilize authentication behavior and security posture. Current Behavior (observed in code): Duration strings parsed without validation — silently fall back on defaults Idle timeout settings depend on external middleware to refresh access Cookie secure attributes tied solely to ProductionMode In-memory session storage currently used by default (scs.New() store) "Remember Me" logic partially implemented; rotation pending Why this matters: Ensures predictable security — particularly around idle timeouts and secure cookie policies Enables future server scaling (remote store support) Supports access control/security roadmap (admin flows, audit) Prevents session abuse from misconfigurations Scope of Work: ✅ Validate all duration settings at load time with clear errors ✅ Add logging/warnings when config values fallback to defaults ✅ Fully enforce idle timeout with tests validating middleware behavior ✅ Expand cookie policy options (e.g., Persistent, Strict SameSite optional) ✅ Allow secure session store configuration (file, DB, Redis) ✅ Complete and validate Remember-Me token rotation behavior ✅ Unit tests for session cookie flags + expiration behavior Non-Goals: No change to existing auth UX beyond stability/security fixes No migration off SCS Risks / Mitigations: Low: Mainly configuration and validation behavior changes ✅ Mitigation: Deploy incrementally with logging before enforcing failures Acceptance Criteria: ✅ Startup fails fast if duration fields invalid ✅ Idle timeouts verified via tests (automatic expiry) ✅ Session cookies respect secure settings based on environment ✅ Remote store option documented + bootstrap-ready ✅ Remember-Me rotation tested & replay-proof Effort Estimate: Medium (2–4 dev days)
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
backend
bug
Something is not working
 duplicate
This issue or pull request already exists
 enhancement
New feature
 feature
frontend
help wanted
Need some help
 high-priority
invalid
Something is wrong
 low-priority
question
More information is needed
 security
UX
wontfix
This won't be fixed
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
H3ALY
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: SynLotto/website#17
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?