feat: remove session id from session data

[SimenB]

Checklist

• run npm run test and npm run benchmark
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

Fixes #52
Closes #70

I'm not 100% sure about the test changes, would like a second pair of eyes

[SimenB]

we don't check cookie before calling restore (

session/lib/fastifySession.js

Line 66 in 76459c2

if (session && session.expires && session.expires <= Date.now()) {

), only expires. So this could be a TypeError, depending on what's in the store

[mcollina]

what should be done about this?

[SimenB]

either works I think, but I think it's weird to look at the expiry of the cookie and not the expiry itself.

That said, express-session only looks at the cookie data, and have not hoisted expires up into its own top level thing. So we could do the same here and just get rid of the top level expires

[mcollina]

Go for that!

[SimenB]

I don't understand this test, so this change is probably wrong

[mcollina]

what would you like to do about this?

[SimenB]

I need to dig into the test to understand what it's supposed to test.

[rclmenezes]

I think the intent of this test was to verify that the old secret still works. The expiration should be + 1000 to make sure the cookie hasn't expired yet.

[rclmenezes]

I did some spelunkling. Why did this test pass earlier?

• The session was modified
• sessionId and encryptedSessionId were NOT in the session store
• This meant that a new session was created to contain the modifications

Thanks to your changes, sessionid / encryptedSessionId don't have to be in the test prep. This means the existing session will be used!

[SimenB]

this test is explicitly "if expired", not sure why expiry was set in the future?

[rclmenezes]

Yup, this test only passed because of request.session.test = {} in the handler modified the session.

I'm starting forking off your branch, rebasing and removing...

[jsardev]

@SimenB Hey! Can I help somehow to finish this PR? I'd need this change as well 🙏

[SimenB]

@sarneeh sure, go for it!

We tried rolling this out at work, and had to revert due to some sessions seemingly not updating correctly. Unfortunately I haven't found the time yet to dig into it, which also means this PR is on the backburner for the moment (and now I'm on vacation, so won't get to it for at least a few more weeks). However, feel free to pick this up in the meantime!

[rclmenezes]

Rebased + fixed some issues in: #114

[rclmenezes]

Yup, this test only passed because of request.session.test = {} in the handler modified the session.

I'm starting forking off your branch, rebasing and removing...

[rclmenezes]

I think the intent of this test was to verify that the old secret still works. The expiration should be + 1000 to make sure the cookie hasn't expired yet.

[rclmenezes]

I did some spelunkling. Why did this test pass earlier?

• The session was modified
• sessionId and encryptedSessionId were NOT in the session store
• This meant that a new session was created to contain the modifications

Thanks to your changes, sessionid / encryptedSessionId don't have to be in the test prep. This means the existing session will be used!

[rclmenezes]

This needs to be sess.cookie.expires.toISOString() or something. The Date object gets transformed into {} by stringify

e.g. str becomes something like {"cookie":{},"csrfSecret":"5iGefd13a29MxLBIMvAT5hrZ","passport":{"user":7}}

[Uzlopak]

closing this in favor of #114