So I know that this is not really generalizable over sessions as a whole, but it would be nice if sessions
supported some notion of loading all existing user sessions. In particular, it wouldn't work for the cookie store, but most other stores, including FilesystemStore
and anything backed by a database, should be able to implement it easily.
My primary use case is to facilitate killing all sessions for a given user except one. I'm working on a website where it's desirable to have a relatively lax security policy regarding session cookies, but occasionally, users will use the site from a different computer (e.g. in a computer lab), and if they're in a rush, will leave without logging out. When they later get back to their own computer, they should be able to tell the site that any other sessions for their user should be terminated.
I successfully implemented this in my store (a vendored copy of postgrestore), but it doesn't make sense to me to submit a PR to that particular Store
implementation without having some support for it in sessions
.
I understand that asking the store to load all sessions is a potentially expensive operation, but the idea is that it would only be used when some global operation on sessions needs to happen, which is very infrequently.
As far as how sessions
would go about providing support for this operation, one backwards-compatible option would be to add a new interface:
// Name not set in stone, obviously.
type GetAllStore {
Store
GetAll() ([]*Session, error)
}
which could then be implemented by the Store
implementations that are able to provide that call:
var store sessions.Store
// ...
if x, ok := store.(sessions.GetAllStore); ok {
allSessions, err := x.GetAll()
} else {
// not supported
}
Then users could iterate over allSessions
and take any actions that they see fit based on its values. Updating a session this way would be potentially race-y, but again, my use case is just to delete them.
Thoughts?