OpenID sessions accumulate in the session forever
Bug #1779269 reported by
William Grant
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
High
|
Maximiliano Bertacchini |
Bug Description
There exists on production a session with more than 100MB of data, and a great many with more than 1MB. It seems that each OpenID request adds its data to the session, and it's never removed, eg. in _process_
We should probably move the OpenID bits of the session into a subdict, store a timestamp alongside each one, and expire old (>24h?) ones when we add new ones.
Related branches
lp:~maxiberta/canonical-identity-provider/openid-session-ttl
- Daniel Manrique (community): Approve
-
Diff: 300 lines (+165/-2)3 files modifieddjango_project/settings_base.py (+1/-0)
src/identityprovider/tests/test_views_server.py (+130/-1)
src/identityprovider/views/server.py (+34/-1)
Changed in canonical-identity-provider: | |
status: | Triaged → In Progress |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
To post a comment you must log in.
I've checked empirically with a local SSO and local openid consumer, and I see this happening only when the consumer is an "untrusted" one (i.e. not one we have an openid rp configuration item for). We could check the logs in production SSO to try to understand which unknown peer (which I think might be in the referrer) is using us to authenticate. This is totally allowed by how openid works and doesn't contradict the solution William proposed.