Unwanted CookieBasedSession in Nancy Implementation

[devandy]

In the Nancy implementation, there is a class that set the CookieBasedSession (EnableSessions.cs) on application start up.
This is bad because ovverides the application specific implementation of session management.
I think that that class has to be removed, and let the developer decide which type of session implementation is the best choice.

[PureKrome]

@devandy can you please link to the specific code/file that this exists on?

[xt0rted]

Cookie based sessions are enabled here EnableSessions.cs#L9

[devandy]

Yes, removing it the application's session management works again.

[phillip-haydon]

This library should work out of the box so we need to enable sessions for it to work. So I guess we need to add a setting to disable the setting when you want to control it yourself.

[PureKrome]

@devandy out of interest, what type of session are you using and how are you setting that up, etc?

[devandy]

I'm using a MemoryCacheBasedSessions found on github (it uses an System.Runtime.Caching.ObjectCache to store values).
I'm setting it up in the Bootstrapper's ApplicationStartup method, hooking the pipelines:

pipelines.BeforeRequest.AddItemToStartOfPipeline(LoadSession);
pipelines.AfterRequest.AddItemToEndOfPipeline(SaveSession);

[PureKrome]

OK. So I started looking into this issue and realized I'm an idiot (again) - I totally misunderstood the context of this problem.

So, with a Nancy app, the SA code was force-wiring up Cookies as the session backing store. not good.

In my new code for the v2.0 release, this is some sample code that is using sessions...

var redirectionResult = _webApplicationService.RedirectToProvider(redirectToProviderData);

// Remember any important information for later, after we've returned back here.
Session[SessionKeyState] = redirectionResult.CacheData;

// Now redirect :)
result = Response.AsRedirect(redirectionResult.RedirectUrl.AbsoluteUri);

So this is using the Nancy ISession object/property. So .. people .. correct me on this .. but anyone can determine the session provider to use for their nancy projects right? Either InMemory or Cookies, right? (ie. define this in the bootstrap). Also, what's the default one if nothing is set by the developer? An InMemory?

If that's the case, then my new code is good and I can close this issue.

[PureKrome]

This bug is linked to #145

[xt0rted]

Nancy doesn't have session support out of the box, you need to opt-in to it. The default provider will throw an exception if you try to access the session object.

[PureKrome]

Ahhhh - excellent reply @xt0rted

Ok - so the next question is this: By default (for a Nancy web app), is it acceptable that Simple Authentication with throw an exception when a person tries to Redirect to a Provider (google, fb, etc) ?

My vote: yes it is. Rational: I see this as a Nancy concern, not an SA concern.

Thoughts anyone?

[fjeldstad]

@PureKrome 👍

[devandy]

Yes, I expect that if i don't enable session support I'll get an exception, it's not a SA concern. Obviously I expect that there is a note in the SA documentation about Nancy Session Support requirement.

[PureKrome]

Sweet! I'll add a label here so I know to document this issue when I get around to releasing the vnext.

[devandy]

@PureKrome 👍