Session Cookies?

Skeer

Sorry if this is kinda elementary, I'm not familiar enough with Cookies to figure this out so far. Does CW set a consistent session cookie from login through either refresh or expiration?

gregtwallace

Yes, there is one cookie that stores a session token. You can see it if you use your browsers developer tools.

Skeer

Thought so, just wanted to be positive. A second if I may, is the cookie: session_token=xx relying or using the clients IP at all?

gregtwallace

No, only the cookie value is validated during refresh.

Skeer

Hey Greg, Is the session_token also stored in the DB or somewhere else?

I'm trying to figure out how I can manage those tokens across multiple containers (tasks). I looked at adding a Redis cache, with a Lambda function and an API Gateway but that's getting complicated. Next idea was perhaps a Redis sidecar until I remembered that the task definition is using an EFS volume to store /app/data for the containers.

It's possible that my tasks aren't using that volume correctly if everything is stored in /opt/certwarden/data/app/appdata.db

Skeer

Actually I think I figured it out. I'm working on a tweak to your projects that uses a redis sidecar for session states.

gregtwallace

The tokens/sessions are kept in a map in memory:

https://github.com/gregtwallace/certwarden-backend/tree/master/pkg/domain/app/auth/session_manager

They are not available on disk anywhere.