summaryrefslogtreecommitdiff
path: root/spec
diff options
context:
space:
mode:
authorStan Hu <stanhu@gmail.com>2018-07-18 11:18:14 -0700
committerStan Hu <stanhu@gmail.com>2018-07-18 12:39:51 -0700
commitc559c43dafb75005f5589c473729054845bb498b (patch)
tree590ffab29094fa7a64f8c1e0cc14552b76a2876a /spec
parent9bdc9b1ae69a62ad764d8ae59baa43a4a0be1d3a (diff)
downloadgitlab-ce-c559c43dafb75005f5589c473729054845bb498b.tar.gz
Limit the TTL for anonymous sessions to 1 hour
By default, all sessions are given the same expiration time configured in the session store (e.g. 1 week). However, unauthenticated users can generate a lot of sessions, primarily for CSRF verification. It makes sense to reduce the TTL for unauthenticated to something much lower than the default (e.g. 1 hour) to limit Redis memory. In addition, Rails creates a new session after login, so the short TTL doesn't even need to be extended. Closes #48101
Diffstat (limited to 'spec')
-rw-r--r--spec/controllers/application_controller_spec.rb26
1 files changed, 26 insertions, 0 deletions
diff --git a/spec/controllers/application_controller_spec.rb b/spec/controllers/application_controller_spec.rb
index 74f362fd7fc..f1165c73847 100644
--- a/spec/controllers/application_controller_spec.rb
+++ b/spec/controllers/application_controller_spec.rb
@@ -89,6 +89,32 @@ describe ApplicationController do
end
end
+ describe 'session expiration' do
+ controller(described_class) do
+ def index
+ render text: 'authenticated'
+ end
+ end
+
+ context 'authenticated user' do
+ it 'does not set the expire_after option' do
+ sign_in(create(:user))
+
+ get :index
+
+ expect(request.env['rack.session.options'][:expire_after]).to be_nil
+ end
+ end
+
+ context 'unauthenticated user' do
+ it 'sets the expire_after option' do
+ get :index
+
+ expect(request.env['rack.session.options'][:expire_after]).to eq(Settings.gitlab['unauthenticated_session_expire_delay'])
+ end
+ end
+ end
+
describe 'rescue from Gitlab::Git::Storage::Inaccessible' do
controller(described_class) do
def index