Cookie reuse question

[yiqingzhao]

Hi,

Question regarding to auth.get_user_by_session when reusing the previous auth cookie after user logs out.

How to reproduce:

1. I have RequestHandler.session_store configured with backend='datastore'.
2. After login (with remember=True), capture the raw value of the auth cookie.
3. Logout by calling auth.unset_session(), which deletes the UserToken from server side.
4. Replace the auth cookie with the value captured in step 2.
5. Reload page and auth.get_user_by_session returns the previous logged in user.

Here are my findings:

auth.get_user_by_session invokes get_user_by_token which checks the cache and cache_ts first. The next step, token validation will be skipped if the cache_ts is valid.

--
So a valid client side auth cookie can be reused as long as the cache timestamp is valid and even the corresponding UserToken has been removed from server side.

Am I right? Did I miss anything?