Skip to content

feat: add configurable session cache to cookie_session authenticator #1244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

feat: add configurable session cache to cookie_session authenticator #1244

wants to merge 5 commits into from
+349 −21

Conversation

wewelll
Copy link

@wewelll wewelll commented Oct 16, 2025
edited
Loading

This pull request adds a configurable session cache to the cookie_session authenticator, reducing load on session stores and preventing rate limit errors during high traffic periods. The implementation aligns with the existing cache patterns used in oauth2_introspection and oauth2_client_credentials authenticators.

Key Features

  • Configurable cache with enabled, ttl, and max_cost settings
  • Backward compatible - cache is disabled by default
  • Rate limit handling - proper 429 error handling and retry guidance
  • Consistent implementation - follows the same patterns as OAuth2 authenticators
  • Comprehensive tests - separate cache test file following established patterns

Configuration Example

authenticators:
  cookie_session:
    enabled: true
    config:
      check_session_url: https://session-store/sessions/whoami
      cache:
        enabled: true
        ttl: 1s
        max_cost: 10000000

Benefits

  • Reduces session store load - Caches session data to minimize repeated requests
  • Prevents rate limiting - Avoids 429 errors during traffic bursts
  • Improves performance - Faster authentication for cached sessions
  • Production ready - Default TTL of 1s balances caching benefits with data freshness

Related issue(s)

Fixes #1167
Completes #1232

Checklist

  • I have read the contributing guidelines.
  • I have referenced an issue containing the design document if my change
    introduces a new feature.
  • I am following the
    contributing code guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security vulnerability, I
    confirm that I got the approval (please contact
    [email protected]) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

Further Comments

This PR completes the work started in #1232 by adding cache support to the cookie_session authenticator. The implementation follows the exact same patterns as the OAuth2 authenticators to ensure consistency across the codebase:

  • Cache key generation based on all cookies in the request
  • Separate cache test file (authenticator_cookie_session_cache_test.go)
  • Same configuration schema structure
  • Identical error handling patterns

The default TTL was set to 1 second (instead of 60s) to balance the benefits of caching with the need for fresh session data in most use cases. Users can configure longer TTLs based on their specific requirements.

@wewelll wewelll requested review from a team and aeneasr as code owners October 16, 2025 21:25
@wewelll wewelll force-pushed the feature/cookie-session-cache branch from 0297bd1 to 492cd5f Compare October 16, 2025 21:38
@wewelll wewelll mentioned this pull request Oct 16, 2025
Open
5 tasks
@wewelll wewelll force-pushed the feature/cookie-session-cache branch 2 times, most recently from 4298cee to 3429778 Compare October 16, 2025 22:11
@wewelll
feat: add configurable session cache to cookie_session authenticator …
8121f7e 
…to reduce session store requests and prevent rate limit errors
@wewelll
chore: change default cache TTL from 60s to 1s in cookie_session auth…
54d5446 
…enticator schema
@wewelll
refactor: align cookie_session cache implementation with OAuth2 authe…
411bfec 
…nticators

- Change MaxCost type from int to int64 to match oauth2_introspection and oauth2_client_credentials
- Extract cache tests to separate file following established pattern
- Remove cache tests from main authenticator test file
@wewelll
docs: restore backward compatibility comment for Cookie header forwar…
cc41d75 
…ding
@wewelll wewelll force-pushed the feature/cookie-session-cache branch from c807ed3 to 917e7a4 Compare October 18, 2025 18:06
@wewelll wewelll force-pushed the feature/cookie-session-cache branch from 917e7a4 to 0693b8a Compare October 18, 2025 18:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aeneasr aeneasr Awaiting requested review from aeneasr aeneasr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Oathkeeper returns a 401 "Access credentials are invalid" when exceeding Ory Network's rate limiting on /sessions/whoami endpoint

1 participant

@wewelll