Testplan for Session Management

Hi everyone! Here is our testplan for Session Management (docs/testplan: Testplan for Session Management by nadimhq · Pull Request #4800 · storj/storj · GitHub)

We wanted to add another layer of security by ensuring sessions are closed in STORJ DCS automatically when not in use

Test Scenario Test Case Description Comments
Cookie Handling Session ID When user logs in and creates a new session, there should be a signed session ID in a cookie
Request Authorization With a signed session ID in a cookie, there should be a request to receive the session from the WebappSessions table w/ the given session ID in the cookie
Authorization 1 First the session checked if NotFound or ExpiresAt has passed from the new table given the session ID in the cookie, then the cookie is deleted and request is not authorized
Authorization 2 Second, if there were no issues with authorization from the previous step and if the session is valid from the new table given the session ID in the cookie, then the User struct should be received from the database using the UserID in the session
Logout- Delete Session If logout endpoint is called, then session should be deleted from database
Cookie Deletion Cookie should be deleted only after session is deleted from database
Inactivity Timeout Session should be invalidated if user is inactive for a set period of time
Closing the Browser A session should be invalidated once the user closes their browser for a session
New IP Address If a session is created from a new IP(different than previous session), then there should be two-factor authentication to verify the user
Valid Authorization If the session is valid from the new table given the session ID in the cookie, then User struct should be received from the database using the UserID in the session
Multiple Sessions Logout- Delete Session If a user is logged into multiple sessions, then all sessions should be invalidated once the user logs out from one of the sessions
Reset Password If a user resets their password, then all sessions should be invalidated once the user successfully resets their password
Inactivity Timeout Regardless of how many sessions there are, if there is inactivity in one sessions then all sessions should be invalidated for security purposes
Closing the Browser Regardless of how many sessions there are all sessions should be invalidated once the user closes the browser used for a session
5 Likes

Session shold take in account downloading or uploading process as activity, other way big files cant be uploaded or downloaded before timeout accrues.

4 Likes

Yup, should clarify that this is super high level, so everything you listed should be covered in inactivity timeout! (downloading or uploading atm should count as being active in this case)

1 Like

We have received support tickets indicating that the timeout happens before they can finish their upload of 10GB with the current implementation.

2 Likes

Yup, we currently have a ticket for that issue in our backlog!

2 Likes

Any ETA as to when a fix will be implemented? I tried to upload some files this afternoon, but the system automatically logged me out before the uploading process is finished due to the new session timeout management.

Hello @Tanshe,
Welcome to the forum!

The web interface was not intended for daily usage or upload big files. While you waiting for a release, you may use Cyberduck or FileZilla, rclone or uplink.

The choice is depend on your upstream bandwidth, if it’s greater or equal to 100Mbit, you may use a native integration (FileZilla Native Integration | Storj Docs, Uplink CLI | Storj Docs, Rclone with Native Integration | Storj Docs), if it’s lower than 20Mbit it’s better to use an S3-compatible clients (Cyberduck, FileZilla PRO, Rclone with Hosted Gateway | Storj Docs, etc.)

See also Hotrodding Decentralized Storage

Which browser are you using? I’ve just tested a workaround using Chrome and the ‘Tab Reloader’ extension…

Open a separate tab on the main dashboard page
Set the dashboard tab to reload every 30 seconds (thus keeping the session active)
On the main tab set your uploads running
Ignore any errors as uploads will continue in the background

I set my network speed to 10Mbps to test a slow upload of a big file.

*** this didn’t work once the upload had finished. The browser session timed out and I was logged out as before.

1 Like

Thanks, that method works for me. Apologize for my belated reply, I’m kinda busy these days.

Hmm, I tried using Filezilla just recently, but the upload speed is just bad. Without FTP client, my normal upload speed is around 1-2 MBPS, but when using Filezilla, my speed dropped to around 30-50 KBPS max.

With low upstream bandwidth it’s better to use S3 integration with Storj-hosted S3 Compatible Gateway | Storj Docs instead of native, like Cyberduck, S3 Browser, FileZilla PRO or rclone.

I’ll check that out. Thanks again.

1 Like