Session stored in cookie #14802
Comments
ghost
added
the
|
I wonder if this should go into quarkus core or whether it could be a quarkus-renarde feature? |
|
My personal opinion is the exact opposite: session data should just be stored server-side and stuffing them into cookies is a last resort kind of thing. Vert.x Web has a cookie session store, which I intentionally choose to not support in #36310, but it would be the proper solution. It supports signing but not encryption, so it requires even more care than regular Vert.x Web sessions. |
|
@Ladicek do you think we could move your PR forward? It's not about cookies, but if we could have session storage, it would cover a part of the problem. |
|
I don't think anything has changed on the Vert.x Web side, so the danger of concurrent session access is still present. |
|
Just a note: I will add this to the "2025 roadmap" (basically, things we would like to have in 2025). So, expect some work on that later this year. |
|
I wonder if you're aware of the work @pferraro is doing on Vert.x Web [1] Vert.x Web built-in |
|
@Ladicek Thanks, no, I was not aware of that work! About the behavior, I still need time to wrap my head around and write some proposals. |
|
OK, I think we should meet with @pferraro and talk, then. There's non-trivial difference between how sessions work in Vert.x Web and WildFly and if anything, lessons that can be learned. |
I can't find any issue about this, even though we discussed this in the past a lot.
It'd be nice to finally have a session cookie, signed, where we can store plain text stuff such as:
This will mostly be useful for Qute users, but they exist, so… :)
See #14794
The question is where would this live, given that cookies come from vert.x, this is not really core. Though we could make an SPI if some users want to store their session data elsewhere, but I really don't want to start encouraging session usage besides cookies…
The text was updated successfully, but these errors were encountered: