search

koajs / generic-session

koa session store with memory, redis or others.
MIT License
414 stars 65 forks source link

Session never destroyed when set rolling to true #136

Closed tonystaark closed 3 years ago

tonystaark commented 4 years ago

api |<-- GET /api/history api | 2020-11-12T05:37:28.200Z koa-generic-session:session get session {"cookie":{"path":"/","httpOnly":true,"maxAge":1200000,"rewrite":true,"signed":true,"secure":false,"overwrite":true}} with key t9Ba_ZjtQrN9LOTjNh2Wv8OaFdhBEEds api | <-- GET /api/logout api | 2020-11-12T05:37:28.201Z koa-generic-session:session session set to null, destroy session: t9Ba_ZjtQrN9LyTjNh2Wv8OaFdhJIIec api | --> GET /api/logout 200 3ms 16b api | xxx GET /api/check 500 125ms - api | 2020-11-12T05:37:28.267Z koa-generic-session:session next logic error: No declaration found api | 2020-11-12T05:37:28.267Z koa-generic-session:session session modified api | 2020-11-12T05:37:28.270Z koa-generic-session:session saved api | 2020-11-12T05:37:28.318Z koa-generic-session:session session modified api | 2020-11-12T05:37:28.321Z koa-generic-session:session saved api | --> GET /api/transactions/history 200 178ms 76b api | 2020-11-12T05:37:28.632Z koa-generic-session:session session id not exist, generate a new one api | <-- GET /api/user api | xxx GET /api/user 500 2ms - api | 2020-11-12T05:37:28.635Z koa-generic-session:session next logic error: Unauthorized api | 2020-11-12T05:37:28.635Z koa-generic-session:session new session and do not modified api | 2020-11-12T05:37:30.001Z koa-generic-session:session get session {"cookie":{"path":"/","httpOnly":true,"maxAge":1200000,"rewrite":true,"signed":true,"secure":false,"overwrite":true}} with key t9Ba_ZjtQrN9LyTjNh2Wv8OaFdhJIIec api | <-- GET /api/user api | 2020-11-12T05:37:30.141Z koa-generic-session:session session modified api | 2020-11-12T05:37:30.143Z koa-generic-session:session saved
api | --> GET /api/user 200 143ms 106b api | <-- GET /api/user

As you see above , when I first called the logout api , it destroys the session, and when I tried to call api/user, koa generic session throws next logic error: Unauthorized. I thought the session is destroyed but subsequently when it calls api/user again , it returns success with 200 because it sets the session by itself again. My expected behaviour it should log out the user and should not allow the user to be able to roll the session cookie to other api again.

My logout api logic is as simple as below, following the documentation to set the session to null:

export const logoutUserService = (ctx: Context): boolean => {
  ctx.session = null;
    return true;
 };

But if I set the rolling property to false, it will destroy the session smoothly. Is this a bug? How to fix it?