gorilla/sessions

Session still exists after setting MaxAge = -1

Hitan999 opened this issue · 1 comments

Hitan999 commented

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I wrote Gorilla Sessions to manage login and logout sessions a platform, and I attach below the code for the logout, which is based on setting MaxAge = -1 in the current session. However, it looks like setting MaxAge to -1 does not delete the session, and I am confused about what is happening.

Store is initialized:

package sessionstore

import (
	"github.com/gorilla/sessions"
)

// Initializes the Sessions cookie store.
var Store = sessions.NewCookieStore([]byte("key"))

For logging out, the function first reads the existing session:

// Checks the session in the cookies, or creates a new one.
session, err := sessionstore.Store.Get(r, "session")
if err != nil {
	http.Error(w, err.Error(), http.StatusInternalServerError)
	fmt.Println("Error with session check")
}

then prints the session details, changes MaxAge to -1, and saves the new session:

if !session.IsNew {
	// Print MaxAge
	fmt.Printf("MaxAge: %d\n", session.Options.MaxAge)
		
	// Print Secure
	fmt.Printf("Secure: %t\n", session.Options.Secure)
	
	// Print HttpOnly
	fmt.Printf("HttpOnly: %t\n", session.Options.HttpOnly)
	
	// Sets the MaxAge to a negative value to expire the session.
	session.Options = &sessions.Options{
		Path:     "/",
		MaxAge:   -1,
		HttpOnly: true,
		Secure:   true,
		SameSite: http.SameSiteNoneMode,
		Domain:   ".example.com", 
	}

	// Saves the session to apply the changes.
	err := session.Save(r, w)
	if err != nil {
		http.Error(w, err.Error(), http.StatusInternalServerError)
		fmt.Println("Error saving session after deletion")
	} else {
		result = "OK"
	}

I then re-read the session and check if the options have been saved correctly, and they do. But it looks that the session is not really deleted straight away, or it would not be able to read the session after the save. Moreover, when the first part of the code reads the session, it gives "false" to Secure and HttpOnly, although during login process the session was created with the same Options (e.g. "true").

If I now remove the other options (Secure, etc.) the cookie will not match with the cookie in the browser, thus will not be set to expired, and refreshing the sessions will still look active. The check of the session will also show that MaxAge is back to 3600.

Could someone say what is happening, and probably where I am making mistakes?

Expected Behavior

No response

Steps To Reproduce

No response

Anything else?

No response

jaitaiwan commented

Hey there,

It's not entirely clear to me what you were hoping to achieve from what you had written. Deletion of the cookie is up to the browser:
https://datatracker.ietf.org/doc/html/rfc6265#section-5.2.2

And in the sessions code the way we implement this is if the max age is 0 or less than we set it to an already-passed time so that the cookie will be considered expired by the browser:

sessions/sessions.go

Line 185 in bdabf0a

} else if options.MaxAge < 0 {

So it seems proper to me that the session instance stays around until the next request.

So far as I can tell, this is expected behaviour. I'm going to close this out but if you need further clarification or can provide more details about what exactly you're expecting to happen that isn't happening I'm happy to try to help further!