You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Fiber version
2.13.0 Issue description
In most cases, unable to find session in the database indicating that the session is not valid, and the session should be regenerated.
The main idea is that we should not allow user to set an arbitrary session when the session provided by user is not in the database.
For example, we use uuid as session. While user can set a session that is not a uuid if the session string is not in the storage.
There are two main causes for the situation.
The user provides an invalid session
The session has expired, for example, in Redis.
Code snippet
The problems occurs here.
// middleware/session/store.go// Get will get/create a sessionfunc (s*Store) Get(c*fiber.Ctx) (*Session, error) {
...ifloadData {
raw, err:=s.Storage.Get(id)
// Unmashal if we found dataifraw!=nil&&err==nil {
...
} elseiferr!=nil {
returnnil, err
} else {
// raw is nil, which means id is not in the storage// so it means that id is not valid (mainly because of id is expired or user provides an invalid id)// therefore, we regenerate a idsess.fresh=truesess.id=s.KeyGenerator()
}
}
returnsess, nil
}
The text was updated successfully, but these errors were encountered:
* Update session.go
Fix: Session.Regenerate does not set Session.fresh to be true.
* Fix: Session should be regenerated if the session can not be found in the storage
#1408
* Add test for session and store in session middleware.
* Clean up code
* Update middleware/session/session.go
Co-authored-by: hi019 <65871571+hi019@users.noreply.github.com>
Fiber version
2.13.0
Issue description
In most cases, unable to find session in the database indicating that the session is not valid, and the session should be regenerated.
The main idea is that we should not allow user to set an arbitrary session when the session provided by user is not in the database.
For example, we use uuid as session. While user can set a session that is not a uuid if the session string is not in the storage.
There are two main causes for the situation.
Code snippet
The problems occurs here.
The text was updated successfully, but these errors were encountered: