New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changed auth/encryption key prevents the signed in user from accessing the webpage again #249
Comments
What does *your* code do here? It’s the handler code that decides how to
handle the error returned from store.Get.
|
@elithrar , my code here is to let you know that I use mongostore, not securecookies/sessions directly. The issue is that this package's |
The store shouldn't matter here: your handler code determines how to handle the error when a store (any store!) can't decode an existing session due to key changes. You posted the below, but nothing else. Where is the error handling for
|
@elithrar , please check the console output I posted. |
Is there no stack trace printed at all? |
Nothing at all. Only these 5 lines I've put into description. In a line with If you have ideas I can add more debugging things into my code. |
Found a reason why panics were ignored in my case, fixed it. Now I see the errors form the code above:
That means session, err = store.New(s.request, name)
session.name = name |
On the other hand, the |
@inmylo As the session store states, "Note that New should never return a nil session, even in the case of an error if using the Registry infrastructure to cache the session." which means that it's mongostore's fault. However the fact that the error is ignored is debatable, that is, should the session be stored if its creation returned an error? About that, what I don't understand @elithrar is why we don't immediately return the error and instead save both the session and the error into the registry's sessions. Wouldn't the best way to handle this be to save the session only, but only if there are no errors? |
I didn't write the original code, but it seems like a short-circuit return and/or better nil handling from store implementations would solve this. |
@deltarays , |
Alright, once I get home I'm going to make a pull request for that |
I'd suggest moving this to the mongo library, as it is a problem on their end not following the contracts of this library's interfaces! |
This issue has been automatically marked as stale because it hasn't seen a recent update. It'll be automatically closed in a few days. |
@deltarays , @elithrar any updates? |
Hi @inmylo, sorry for the late response but I ended up closing the pull request since as per the discussion with aeneasr my change would've had the possibility to break code in certain cases. |
Describe the bug
When a single pair of an authentication key and encryption key is used - changing it prevents the signed in user from accessing the webpage again.
Versions
Steps to Reproduce
I create a sessions Mongostore with:
When user requests the webpage check whether he is signed in:
store.Get
calls a function from your package:I've added a debug printing to this function:
I sign in to the website. When service is restarted - new pair of an authentication key and encryption key is generated. I refresh the webpage - server returns literally nothing, empty page, no Go errors. In a console I see only:
.. that means
fmt.Printf("204")
and the later code is never called for some reason, feels like current goroutine is stuck or being dropped.The only thing that helps - clearing browser's cookies for this website manually. Please make
func (s *Registry) Get()
to return something even if it can't decode cookies.Expected behavior
When service is restarted - new pair of an authentication key and encryption key is generated,
sessions
package informs that user is not signed in and returns an error that can't decode cookies. User has to sign in again.The text was updated successfully, but these errors were encountered: