You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I wrote Gorilla Sessions to manage login and logout sessions a platform, and I attach below the code for the logout, which is based on setting MaxAge = -1 in the current session. However, it looks like setting MaxAge to -1 does not delete the session, and I am confused about what is happening.
Store is initialized:
package sessionstore
import (
"github.com/gorilla/sessions"
)
// Initializes the Sessions cookie store.
var Store = sessions.NewCookieStore([]byte("key"))
For logging out, the function first reads the existing session:
// Checks the session in the cookies, or creates a new one.
session, err := sessionstore.Store.Get(r, "session")
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
fmt.Println("Error with session check")
}
then prints the session details, changes MaxAge to -1, and saves the new session:
if !session.IsNew {
// Print MaxAge
fmt.Printf("MaxAge: %d\n", session.Options.MaxAge)
// Print Secure
fmt.Printf("Secure: %t\n", session.Options.Secure)
// Print HttpOnly
fmt.Printf("HttpOnly: %t\n", session.Options.HttpOnly)
// Sets the MaxAge to a negative value to expire the session.
session.Options = &sessions.Options{
Path: "/",
MaxAge: -1,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteNoneMode,
Domain: ".example.com",
}
// Saves the session to apply the changes.
err := session.Save(r, w)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
fmt.Println("Error saving session after deletion")
} else {
result = "OK"
}
I then re-read the session and check if the options have been saved correctly, and they do. But it looks that the session is not really deleted straight away, or it would not be able to read the session after the save. Moreover, when the first part of the code reads the session, it gives "false" to Secure and HttpOnly, although during login process the session was created with the same Options (e.g. "true").
If I now remove the other options (Secure, etc.) the cookie will not match with the cookie in the browser, thus will not be set to expired, and refreshing the sessions will still look active. The check of the session will also show that MaxAge is back to 3600.
Could someone say what is happening, and probably where I am making mistakes?
Expected Behavior
No response
Steps To Reproduce
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered:
Is there an existing issue for this?
Current Behavior
I wrote Gorilla Sessions to manage login and logout sessions a platform, and I attach below the code for the logout, which is based on setting MaxAge = -1 in the current session. However, it looks like setting MaxAge to -1 does not delete the session, and I am confused about what is happening.
Store is initialized:
For logging out, the function first reads the existing session:
then prints the session details, changes MaxAge to -1, and saves the new session:
I then re-read the session and check if the options have been saved correctly, and they do. But it looks that the session is not really deleted straight away, or it would not be able to read the session after the save. Moreover, when the first part of the code reads the session, it gives "false" to Secure and HttpOnly, although during login process the session was created with the same Options (e.g. "true").
If I now remove the other options (Secure, etc.) the cookie will not match with the cookie in the browser, thus will not be set to expired, and refreshing the sessions will still look active. The check of the session will also show that MaxAge is back to 3600.
Could someone say what is happening, and probably where I am making mistakes?
Expected Behavior
No response
Steps To Reproduce
No response
Anything else?
No response
The text was updated successfully, but these errors were encountered: