Expected Behavior
The issue I am encountering relates to the fact that while Spring Session / Security is saving my session data to Redis and applying a TTL (Time-To-Live) to the main session keys, the associated indexed keys (such as attributes indexed for lookups) are not automatically being set with a TTL. This means that these indexed keys can persist indefinitely unless manually deleted (e.g., through an explicit logout), leading to a potential memory leak.
Is there a way, and if not, can I request the ability to attach time limits to indexed components of sessions (e.g. in Redis). The normal session keys get cleaned up by Redis as they have a TTL, but as you can see below, when a session naturally expires, the other bits remain in Redis.
Explicit Logout
When I explicity logout, the following function gets called, and so the session is deleted from (i) namespace > sessions, (ii) namespace > sessions > expires, (iii) namespace > sessions > session id > idx, (iv) and namespace > sessions > expiration (sorted set)
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt#L40
Which calls this and this:
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L51
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/sessions/SessionControl.kt#L53
Which calls this and this:
https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L162
https://github.com/spring-projects/spring-session/blob/main/spring-session-core/src/main/java/org/springframework/session/web/server/session/SpringSessionWebSessionStore.java#L100
Which both ultimately call this:
https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L387
The 4 delete methods in here get called
https://github.com/spring-projects/spring-session/blob/main/spring-session-data-redis/src/main/java/org/springframework/session/data/redis/ReactiveRedisIndexedSessionRepository.java#L391
The following also gets called to do an RP Initiated Logout (to end the session that exists with the Auth0 Authorization server too)
- the delete BFF session, delete 2 cookies here:
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/SessionServerLogoutHandler.kt
- the logout from the auth server here (RP Initiated Logout):
https://github.com/dreamstar-enterprises/docs/blob/master/Spring%20BFF/BFF/src/main/kotlin/com/frontiers/bff/auth/handlers/oauth2/OAuth2ServerLogoutSuccessHandler.kt
Natural BFF session expiration
But how do I do the above, when the BFF session reaches its natural expiration time. When this happens Redis still leaves the following
Also the Auth0 session is never logged out from (so if the person logs in again via the Spring BFF, and the Auth0 session is still valid, and it will silently login without showing the Auth0 login page)
Comment From: jzheaux
Thanks for getting in touch, @dreamstar-enterprises! It feels like this is a question that would be better suited to Stack Overflow, specifically relating to the spring-session tag. We prefer to use GitHub issues only for bugs and enhancements. Feel free to update this issue with a link to the re-posted question (so that other people can find it) or add more detail if you feel this is a genuine bug.