You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
fmt.Println("goth/gothic: no SESSION_SECRET environment variable is set. The default cookie store is not available and any calls will fail. Ignore this warning if you are using a different store.")
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the problem that's being solved here?
I'm not entirely sure I understand it :-)
Is this about users having sessions with multiple oauth providers at the same time? Wouldn't that be solved by removing all sessions with providers which are not x, when completing the flow for provider x?
After this change, we immediately remove the session with the provider at login. No cookies are left. No session is left. In terms of examples: If one logs in in the example main.go, login does fetch userinfo, create a session, and immediately deletes that session. Refreshing the page will already leave a user without session.
Is this the intention (it means any type of session management is left to the user, basically they'd need to overwrite the CompleteUserAuth function)? Can you clarify this?
The reason will be displayed to describe this comment to others. Learn more.
The session here is an internal session for goth to use to store information it needs during the auth phase. It was never to be used by the end user for their applications session. The problem this fixed was that the goth session was being kept around and was causing problems if someone tried to login in with one provider and then another.
Session manangement for your application should be done by you in your application. Goth doesn’t manage that.
9885e53There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the problem that's being solved here?
I'm not entirely sure I understand it :-)
Is this about users having sessions with multiple oauth providers at the same time? Wouldn't that be solved by removing all sessions with providers which are not x, when completing the flow for provider x?
After this change, we immediately remove the session with the provider at login. No cookies are left. No session is left. In terms of examples: If one logs in in the example main.go, login does fetch userinfo, create a session, and immediately deletes that session. Refreshing the page will already leave a user without session.
Is this the intention (it means any type of session management is left to the user, basically they'd need to overwrite the CompleteUserAuth function)? Can you clarify this?
9885e53There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The session here is an internal session for goth to use to store information it needs during the auth phase. It was never to be used by the end user for their applications session. The problem this fixed was that the goth session was being kept around and was causing problems if someone tried to login in with one provider and then another.
Session manangement for your application should be done by you in your application. Goth doesn’t manage that.