search

gorilla / sessions

Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
https://gorilla.github.io
BSD 3-Clause "New" or "Revised" License
2.93k stars 371 forks source link

Session still exists after setting MaxAge = -1 #271

Closed Hitan999 closed 5 months ago

Hitan999 commented 10 months ago

Is there an existing issue for this?

Current Behavior

I wrote Gorilla Sessions to manage login and logout sessions a platform, and I attach below the code for the logout, which is based on setting MaxAge = -1 in the current session. However, it looks like setting MaxAge to -1 does not delete the session, and I am confused about what is happening.

Store is initialized:

package sessionstore

import (
    "github.com/gorilla/sessions"
)

// Initializes the Sessions cookie store.
var Store = sessions.NewCookieStore([]byte("key"))

For logging out, the function first reads the existing session:

// Checks the session in the cookies, or creates a new one.
session, err := sessionstore.Store.Get(r, "session")
if err != nil {
    http.Error(w, err.Error(), http.StatusInternalServerError)
    fmt.Println("Error with session check")
}

then prints the session details, changes MaxAge to -1, and saves the new session:

if !session.IsNew {
    // Print MaxAge
    fmt.Printf("MaxAge: %d\n", session.Options.MaxAge)

    // Print Secure
    fmt.Printf("Secure: %t\n", session.Options.Secure)

    // Print HttpOnly
    fmt.Printf("HttpOnly: %t\n", session.Options.HttpOnly)

    // Sets the MaxAge to a negative value to expire the session.
    session.Options = &sessions.Options{
        Path:     "/",
        MaxAge:   -1,
        HttpOnly: true,
        Secure:   true,
        SameSite: http.SameSiteNoneMode,
        Domain:   ".example.com", 
    }

    // Saves the session to apply the changes.
    err := session.Save(r, w)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        fmt.Println("Error saving session after deletion")
    } else {
        result = "OK"
    }

I then re-read the session and check if the options have been saved correctly, and they do. But it looks that the session is not really deleted straight away, or it would not be able to read the session after the save. Moreover, when the first part of the code reads the session, it gives "false" to Secure and HttpOnly, although during login process the session was created with the same Options (e.g. "true").

If I now remove the other options (Secure, etc.) the cookie will not match with the cookie in the browser, thus will not be set to expired, and refreshing the sessions will still look active. The check of the session will also show that MaxAge is back to 3600.

Could someone say what is happening, and probably where I am making mistakes?

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

jaitaiwan commented 5 months ago

Hey there,

It's not entirely clear to me what you were hoping to achieve from what you had written. Deletion of the cookie is up to the browser: https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2

And in the sessions code the way we implement this is if the max age is 0 or less than we set it to an already-passed time so that the cookie will be considered expired by the browser: https://github.com/gorilla/sessions/blob/bdabf0ac29ab2354c0674cb0dcd3a4f31f53589d/sessions.go#L185

So it seems proper to me that the session instance stays around until the next request.

So far as I can tell, this is expected behaviour. I'm going to close this out but if you need further clarification or can provide more details about what exactly you're expecting to happen that isn't happening I'm happy to try to help further!