Session renew gets overwritten by session change

[lukasschlueter]

Expected Behavior

When using Session, calling session.renew() always renews the session, indepentent of it's location in the handler (unless there is a session.purge()).

Actual Behavior

When calling session.set("x", "y") after session.renew(), the session does not get renewed.

From my understanding of the code, this is caused by this line in session.set() (and session.remove()):

poem/poem/src/session/session.rs

Line 85 in ad20fe7

inner.status = SessionStatus::Changed;

This unconditionally overwrites the status and deletes the information that a session renew was requested. What I think should happen instead is that it only overwrites the status if it is currently set to Unchanged.

Steps to Reproduce the Problem

use poem::http::header;
use poem::session::{CookieConfig, MemoryStorage, ServerSession, Session};
use poem::{handler, Endpoint, Request};
use poem::{EndpointExt, IntoResponse, Route};

#[tokio::main]
async fn main() {
    let app = Route::new()
        .at("/", renew_and_set_session)
        .with(ServerSession::new(
            CookieConfig::default(),
            MemoryStorage::default(),
        ));

    let resp = app.get_response(Request::default()).await;

    let cookie1 = resp.headers().get(header::SET_COOKIE).unwrap();
    dbg!(cookie1);

    let resp = app
        .get_response(Request::builder().header(header::COOKIE, cookie1).finish())
        .await;

    let cookie2 = resp.headers().get(header::SET_COOKIE);
    dbg!(cookie2);

    assert!(cookie2.is_some());
    assert_ne!(cookie1, cookie2.unwrap());
}

#[handler]
async fn renew_and_set_session(session: &Session) -> impl IntoResponse {
    println!("{:?}", session.get::<String>("x"));
    session.renew();                                // A
    session.set("x", "y".to_string());              // B
    ""
}

Note that swapping line A and B seems to work fine.

Specifications

• Version: 1.2.53

[sunli829]

Fixed in v1.2.54.

[lukasschlueter]

Awesome, thanks!