Feature #29041

Update session token only once per minute

Added by Pavel Rosický over 1 year ago. Updated 11 months ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Performance
Target version:-
Resolution:

Description

this is simmilar to #28952

if Rails.application.config.redmine_verify_sessions is enabled, basically each read request triggers an update to tokens table. This is bad for performance because it blocks the database.
My patch transforms the update query into a select query that doesn't block on heavy load. We could actually update the token only once per hour which is the minimum available setting for Setting.session_lifetime and Setting.session_timeout, but redmine modifications could use smaller values, so I choose 1 minute interval. Smaller session_timeout then 1 minute won't work now, but I think such small timeout doesn't make much sense.

user.rb.patch Magnifier (644 Bytes) Pavel Rosický, 2018-06-17 19:55

sessions_controller_test.rb.patch Magnifier (865 Bytes) Pavel Rosický, 2018-06-17 19:55

user.rb.patch Magnifier (665 Bytes) Pavel Rosický, 2018-06-18 11:05


Related issues

Related to Redmine - Feature #28952: Update User#last_login_on only once per minute Closed

History

#1 Updated by Marius BALTEANU over 1 year ago

  • Related to Feature #28952: Update User#last_login_on only once per minute added

#2 Updated by Pavel Rosický over 1 year ago

#3 Updated by Pavel Rosický 11 months ago

ping Marius BALTEANU

#4 Updated by Marius BALTEANU 11 months ago

Pavel Rosický wrote:

ping Marius BALTEANU

Pong. I've missed something?

#5 Updated by Pavel Rosický 11 months ago

if you have time, could you review? https://www.redmine.org/attachments/20901/user.rb.patch

GET requests shouldn't update a database all the time. It's even more relevant for #29513

disabling Rails.application.config.redmine_verify_sessions isn't an option because it makes Redmine vulnerable

are there any security concerns about this change?

Also available in: Atom PDF