search

go-session / session

A efficient, safely and easy-to-use session library for Go.
https://godoc.org/github.com/go-session/session
MIT License
218 stars 40 forks source link

A doubt about expiring session #10

Closed gandaldf closed 2 years ago

gandaldf commented 3 years ago

Hi, I have some doubts regarding this line:

https://github.com/go-session/session/blob/77451f66169ec1e21047f1572c6c067f1dfb4d82/store.go#L143

I don't fully understand why you keep adding life to the items. I tried this: 

func main() {
        session.InitManager(
            session.SetSecure(true),
            session.SetEnableSetCookie(true),
            session.SetCookieName("my-session"),
            session.SetCookieLifeTime(300), // 5 minutes
            session.SetExpired(300), // 5 minutes
            session.SetEnableSIDInURLQuery(false),
            session.SetEnableSIDInHTTPHeader(false),
        )

        http.HandleFunc("/set", func(w http.ResponseWriter, r *http.Request) {
        store, err := session.Start(context.Background(), w, r)
        if err != nil {
            fmt.Fprint(w, err)
            return
        }

        store.Set("foo", "bar")
        err = store.Save()
        if err != nil {
            fmt.Fprint(w, err)
            return
        }
    })

    http.HandleFunc("/get", func(w http.ResponseWriter, r *http.Request) {
        store, err := session.Start(context.Background(), w, r)
        if err != nil {
            fmt.Fprint(w, err)
            return
        }

        foo, ok := store.Get("foo")
        if ok {
            fmt.Fprintf(w, "foo:%s", foo)
            return
        }
        fmt.Fprint(w, "does not exist")
    })

    http.ListenAndServe(":8080", nil)
}

After 5 minutes the cookie expires and I would no longer be able to access my in-memory session again. BUT, if I had copied its value before it expires I could easly change it on the new one the server send me on the next request (ie from Chrome->dev tools->Application) and I would be perfectly able to access my old session. All this because the above line keep extending the item life by the SetExpired() value. To be more specific, that line is in the store Update() func called by the session Start() func in my "get" http handler. Is it the right behaviour and there is something I don't underdstand or is it a bug? The other non-in-memory stores work the same way? Thank you very much!

gandaldf commented 2 years ago

I close, better support using: https://github.com/alexedwards/scs