1. 18 Jul, 2018 1 commit
    • Stan Hu's avatar
      Limit the TTL for anonymous sessions to 1 hour · c559c43d
      Stan Hu authored
      By default, all sessions are given the same expiration time configured in the
      session store (e.g. 1 week). However, unauthenticated users can generate a lot
      of sessions, primarily for CSRF verification. It makes sense to reduce the TTL
      for unauthenticated to something much lower than the default (e.g. 1 hour) to
      limit Redis memory. In addition, Rails creates a new session after login,
      so the short TTL doesn't even need to be extended.
      
      Closes #48101
      c559c43d
  2. 17 Jul, 2018 39 commits