https://kotlinlang.org logo
Join Slack
Powered by
Hello, Is it possible to add an expiration time (T...
# ktor
v
Hello, Is it possible to add an expiration time (TTL) for session cookie (client side) please ?
📝 1
2
e
You could use 
expires
field of 
Cookie
class
👍 1
v
And for header, are they the same thing ?
e
Custom header or cookie header?
v
Custom header 🙂
e
Could you explain, what did you mean when say 
header expires
? The server doesn't store custom client headers as a state.
v
I don’t know if it’s possible. Can we give the header to the client and said this header expire in one hour for example ?
e
So the client should stop to send this header in an hour?
v
If he sends this header, I will redirect him to the login page because his header is invalid now
c
It should be done by setting cookie expiration at server side
✔️ 1
v
So if I use Client side, it’s impossible ?
c
Copy code
cookie<UserSession>(cookieName) {
    cookie.duration = Duration.ofHours(1)
}
Client should stop sending cookie once it's expired
e
Could you explain your use case in more details, please?
v
Yes sure. The first time my user use my API, he will be redirect to google oauth. After, I sign and encrypt a header if the google auth has worked. Finally, my user send this header for all the other request for the authentication. And the problem is, is it possible to send an header available only for one hour for example ?
I don’t know if it’s clear, sorry
e
Consider to setup redirect in your API(if you use ktor try to follow @cy sample). If you can't do it on the server side, you could write client interceptor.
Is it possible for you to redirect on the server side?
v
Yes no problem, I use ktor
But what do you mean by redirect, how it will solve the problem ?
e
When a client makes a request, you could check and redirect if the session is expired.
v
Yes I understand, but how Can I check 🙂 ?
d
The session has expired if it doesn’t exists anymore. So when you get the session, it returns null
v
Ok perfect, Thank you ! But that’s work with client-side..? Is it not only for session in server-side ?
d
Didnt notice that. So you are using one cookie client side using ktor’s HttpClient? Then the server cannot cancel that session directly. What you can do is store in the session data a timestamp of validity. Then do something like 
if (System.currentTimeMillis() > mysession.validUntil) redirect(...)
1
v
Ok I was thinking at this solution but I didn’t know if it’s a good solution, Thanks 🙂
d
Just remember that 
call.respondRedirect
do not finish the function. So if you do it like a guard, you will have to return the function. For example:
Copy code
get("/") {
    if (cond) return@get call.respondRedirect("/invalid")
}
I guess that you can also simulate redirection from exception that do other frameworks with 
StatusPages
(so you can call a redirect in subfunctions or guard clauses without worrying about propagating the return to prevent the next code to be executed). For example:
Copy code
fun Application.main() {
    install(StatusPages) {
        exception<HttpRedirectException> { e ->
            call.respondRedirect(e.location, permanent = e.permanent)
        }
    }
    routing {
        get("/") {
            if (true) redirect("/invalid")
        }
    }
}

class HttpRedirectException(val location: String, val permanent: Boolean = false) : RuntimeException()
fun redirect(location: String, permanent: Boolean = false): Nothing = throw HttpRedirectException(location, permanent)
v
Thank you very much
Open in Slack
PreviousNext
Powered by