For session caching is there a recommended methodo...
# ory-network
For session caching is there a recommended methodology? I usually do: 1. Restricted page or login clicked. 2. Server redirect to kratos, client log-in, get session 3. Redirect to "finished" page. 4. Notice/Expect kratos session on endpoint load. (redirect back to login or error if no session) 5. Cache session against extended user information in redis / database. 6. Further requests do not test / check against kratos for validity unless the expires_at field is expired. Does that seem safe or am I missing something fundamental?
logout is impossible with that strategy
or any other means of session invalidation
Well I mean I'd invalidate the session myself and purge from redis/cache.
Regardless of my excuse, does it still just make more sense to start every HTTP request with whoami?
Hey Adam, yes you could definitely hook into the logout routine and invalidate the session server-side as well. We are also adding Web Hooks as we speak to Ory Cloud and we want to have web hooks for logout events in the future. This will help with invalidation. Alternatively you can also just cache for a TTL that is acceptable to you where the session cookie is still valid. The cookie is of course deleted on the browser so the user is logged out, it's just that if he/she still had the cookie, it would still work.
TLDR; I think your cache is totally fine! We want to add this capa also into some of our midleware and the Ory Proxy so hopefully you don't have to do this in the future.
And we're also working on bringing down the latency of hot whoami requests to ~20-30ms
Very good. Thank you for the clarification. Future looks bright. 8) Appreciate it.
Absolutely, thank you for being a part of the journey 🙂
❤️ 1