Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Session is not destroyed in request cookie and so not recreated #1877

Closed
mblaschke opened this issue Apr 22, 2022 · 3 comments
Closed
Assignees

Comments

@mblaschke
Copy link

Describe the bug
When trying to regenerate a session (destroy & start again in same request) it isn't working anymore with iris v12.2.0-beta1

To Reproduce

package main

import (
	"github.com/kataras/iris/v12"

	"github.com/kataras/iris/v12/sessions"
)

const cookieNameForSessionID = "session_id_cookie"

var sess *sessions.Sessions

func secret(ctx iris.Context) {
	// Check if user is authenticated
	if auth, _ := sessions.Get(ctx).GetBoolean("authenticated"); !auth {
		ctx.StatusCode(iris.StatusForbidden)
		return
	}

	// Print secret message
	ctx.WriteString("The cake is a lie!")
}

func login(ctx iris.Context) {
	session := sessions.Get(ctx)

        sess.Destroy(ctx)
        session = sess.Start(ctx)
	// Authentication goes here
	// ...

	// Set user as authenticated
	session.Set("authenticated", true)
}

func logout(ctx iris.Context) {
	session := sessions.Get(ctx)

	// Revoke users authentication
	session.Set("authenticated", false)
}

func main() {
	app := iris.New()
	sess = sessions.New(sessions.Config{
		Cookie: cookieNameForSessionID,
		// CookieSecureTLS: true,
		AllowReclaim: true,
	})
	app.Use(sess.Handler())
	// ^ or comment this line and use sess.Start(ctx) inside your handlers
	// instead of sessions.Get(ctx).

	app.Get("/secret", secret)
	app.Get("/login", login)
	app.Get("/logout", logout)

	app.Listen(":8080")
}

iris v12.1.8 response headers for /login:

Set-Cookie: session_id_cookie=; Path=/; Domain=localhost; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0
Set-Cookie: session_id_cookie=983fdcd2-c625-4854-8548-d90fdd5a2f3b; Path=/; Domain=localhost; Expires=Mon, 04 Mar 2047 01:07:52 GMT; Max-Age=784688398; HttpOnly; SameSite=Lax

iris v12.2.0-beta1 response headers for /login:

Set-Cookie: session_id_cookie=; Path=/; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0; HttpOnly

iris @master response headers for /login (also wrong order?):

Set-Cookie: session_id_cookie=49e6457d-5735-40f5-b928-868cae3a945e; Path=/; Domain=localhost; Expires=Mon, 04 Mar 2047 01:11:48 GMT; Max-Age=784688345; HttpOnly; SameSite=Lax
Set-Cookie: session_id_cookie=; Path=/; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0; HttpOnly

Expected behavior
Session is cleared (also invalidated in request cookies?) and a new session is created
and only one Set-Cookie header is sent

Desktop (please complete the following information):

  • OS: osx

iris.Version

  • v12.2.0-beta1

Additional context
or implement a way to recreate the session

@kataras
Copy link
Owner

kataras commented Apr 23, 2022

Hello @mblaschke,

I don't understand, what's the use case of that code snippet? Share with me the final goal, what you want to achieve, so I can come back with a better solution than re-creating a session twice in the same request-response lifecycle.

	session := sessions.Get(ctx)

	sess.Destroy(ctx)
	session = sess.Start(ctx)

Why session := sessions.Get(ctx) and then session = sess.Start(ctx) (session is unused), while this handler already wrapped with a session middeware on main function app.Use(sess.Handler())?

@mblaschke
Copy link
Author

mblaschke commented Apr 23, 2022

use case: regenerate the session id for login/privilege change

so i want to destroy the old session, and start a fresh session (and copy over some data)

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change

@kataras
Copy link
Owner

kataras commented Apr 23, 2022

Fixed @mblaschke :) Thanks for the link/reminder though. Update to @master: go get github.com/kataras/iris/v12@master and run go mod tidy -compat=1.18.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants