Do not save sessions on authorization in API access

3 years ago
mystik
Member | 308
+
0
-

Is there any best practice how to prevent creation of unnecessary sessions when use is authorized in API call? Currently whern I uthorize user based on APi request apiKey then every time new session file is created because User and USerStorage creates them automatically when authorization occurs. Because our API can be quite bussy it causes problems with virtual machine diskspace (inodes). We need some way to tell our app that in these requests authorization information can be stored only in-memory and there is no need to create session.

What would be best way to let user authorize but disable creation of sessions? Create custom UserStorage that allows enabling/disabling of session? Then call disabling of session in APi presenters startup? Or is there any other way?

3 years ago
dkorpar
Member | 135
+
0
-

My problem also… One thing that would solve this nicely would be to include some SessionIdGenerator to Session class so we can override sessionId as we like, then it could even reuse UserStorage…
Otherwise feels like to much pain (implementing your own nette\security)

3 years ago
Felix
Nette Core | 1196
+
0
-

You can route all /api/* through other index (api.php) with disabled session at all.