Testplan for Session Management

leanpatty · September 26, 2022, 1:22pm

Hi everyone! Here is our testplan for Session Management (docs/testplan: Testplan for Session Management by nadimhq · Pull Request #4800 · storj/storj · GitHub)

We wanted to add another layer of security by ensuring sessions are closed in STORJ DCS automatically when not in use

Test Scenario	Test Case	Description
Cookie Handling	Session ID	When user logs in and creates a new session, there should be a signed session ID in a cookie
	Request Authorization	With a signed session ID in a cookie, there should be a request to receive the session from the WebappSessions table w/ the given session ID in the cookie
	Authorization 1	First the session checked if NotFound or ExpiresAt has passed from the new table given the session ID in the cookie, then the cookie is deleted and request is not authorized
	Authorization 2	Second, if there were no issues with authorization from the previous step and if the session is valid from the new table given the session ID in the cookie, then the User struct should be received from the database using the UserID in the session
	Logout- Delete Session	If logout endpoint is called, then session should be deleted from database
	Cookie Deletion	Cookie should be deleted only after session is deleted from database
	Inactivity Timeout	Session should be invalidated if user is inactive for a set period of time
	Closing the Browser	A session should be invalidated once the user closes their browser for a session
	New IP Address	If a session is created from a new IP(different than previous session), then there should be two-factor authentication to verify the user
	Valid Authorization	If the session is valid from the new table given the session ID in the cookie, then User struct should be received from the database using the UserID in the session
Multiple Sessions	Logout- Delete Session	If a user is logged into multiple sessions, then all sessions should be invalidated once the user logs out from one of the sessions
	Reset Password	If a user resets their password, then all sessions should be invalidated once the user successfully resets their password
	Inactivity Timeout	Regardless of how many sessions there are, if there is inactivity in one sessions then all sessions should be invalidated for security purposes
	Closing the Browser	Regardless of how many sessions there are all sessions should be invalidated once the user closes the browser used for a session

Vadim · September 26, 2022, 1:28pm

Session shold take in account downloading or uploading process as activity, other way big files cant be uploaded or downloaded before timeout accrues.

leanpatty · September 26, 2022, 1:45pm

Yup, should clarify that this is super high level, so everything you listed should be covered in inactivity timeout! (downloading or uploading atm should count as being active in this case)

heunland · September 26, 2022, 2:35pm

We have received support tickets indicating that the timeout happens before they can finish their upload of 10GB with the current implementation.

leanpatty · September 26, 2022, 3:08pm

Yup, we currently have a ticket for that issue in our backlog!

Tanshe · October 5, 2022, 5:59am

Any ETA as to when a fix will be implemented? I tried to upload some files this afternoon, but the system automatically logged me out before the uploading process is finished due to the new session timeout management.

Alexey · October 5, 2022, 6:26am

Hello @Tanshe,
Welcome to the forum!

The web interface was not intended for daily usage or upload big files. While you waiting for a release, you may use Cyberduck or FileZilla, rclone or uplink.

The choice is depend on your upstream bandwidth, if it’s greater or equal to 100Mbit, you may use a native integration (FileZilla Native Integration | Storj Docs, Uplink CLI | Storj Docs, Rclone with Native Integration | Storj Docs), if it’s lower than 20Mbit it’s better to use an S3-compatible clients (Cyberduck, FileZilla PRO, Rclone with Hosted Gateway | Storj Docs, etc.)

See also Hotrodding Decentralized Storage

Stob · October 5, 2022, 9:29am

Which browser are you using? I’ve just tested a workaround using Chrome and the ‘Tab Reloader’ extension…

Open a separate tab on the main dashboard page
Set the dashboard tab to reload every 30 seconds (thus keeping the session active)
On the main tab set your uploads running
Ignore any errors as uploads will continue in the background

I set my network speed to 10Mbps to test a slow upload of a big file.

*** this didn’t work once the upload had finished. The browser session timed out and I was logged out as before.

Tanshe · October 8, 2022, 5:57am

Thanks, that method works for me. Apologize for my belated reply, I’m kinda busy these days.

Tanshe · October 8, 2022, 6:00am

Hmm, I tried using Filezilla just recently, but the upload speed is just bad. Without FTP client, my normal upload speed is around 1-2 MBPS, but when using Filezilla, my speed dropped to around 30-50 KBPS max.

Alexey · October 8, 2022, 6:26am

With low upstream bandwidth it’s better to use S3 integration with Storj-hosted S3 Compatible Gateway | Storj Docs instead of native, like Cyberduck, S3 Browser, FileZilla PRO or rclone.

Tanshe · October 8, 2022, 11:19am

I’ll check that out. Thanks again.

littleskunk · December 16, 2022, 12:46pm

In the meantime, the session timeout has been enabled on all production satellites. A big file upload will continue refreshing the session. So the countdown will start after the upload finishes. Same for downloads.