A question about deleting sessions

[BorisKoz]

Describe the problem you're having I am currently using gorilla sessions in a small project and having trouble deleting sessions. When I save session with Options.MaxAge = -1 I presume that the session is deleted. However, if preemptively copy a working cookie client-side, it breaks. Acting as follows: Create cookie -> Save cookie -> Copy cookie on client -> Delete cookie -> Send a request with copied cookie. The last request will get a cookie from the CookieStore that was supposed to be deleted.

Go version: go1.17.1 darwin/amd64 package version: v1.2.1

Session code as follows: Start

        session, _ := store.Get(r, sessionName)
    session.Values["id"] = id
    session.Options = &sessions.Options{
        MaxAge:   100000, // ~27 hours
        Secure:   true,
        HttpOnly: true,
        SameSite: http.SameSiteNoneMode,
        Path:     "/",
    }
    err := session.Save(r, w)

Delete

    session, err := store.Get(r, sessionName)
    if err != nil {
        return err
    }
    sessionId, isIn := session.Values["id"]
    if isIn && id == sessionId {
        session.Options.MaxAge = -1
        err := session.Save(r, w)
        if err != nil {
            http.Error(w, err.Error(), http.StatusInternalServerError)
            return err
        }

Check

    session, err := store.Get(r, sessionName)
    if err != nil && !session.IsNew {
        return 0, err
    }
    id, isIn := session.Values["id"]

…

[BorisKoz]

To be noted: the solution to the problem can be just switching from cookieStore to filesystemStore. Would still be preferable to add an equivalent of filesystemstore.erase() into cookie store

[stale[bot]]

This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days.

[andy-js]

FYI sonatype is tracking this as a security vulnerability: https://ossindex.sonatype.org/vulnerability/sonatype-2021-4899