Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session should be regenerated if the session can not be found in the storage #1408

Closed
Spedoske opened this issue Jun 24, 2021 · 0 comments · Fixed by #1407
Closed

Session should be regenerated if the session can not be found in the storage #1408

Spedoske opened this issue Jun 24, 2021 · 0 comments · Fixed by #1407
Labels
☢️ Bug

Comments

@Spedoske
Copy link
Contributor

Fiber version
2.13.0
Issue description
In most cases, unable to find session in the database indicating that the session is not valid, and the session should be regenerated.
The main idea is that we should not allow user to set an arbitrary session when the session provided by user is not in the database.

For example, we use uuid as session. While user can set a session that is not a uuid if the session string is not in the storage.

There are two main causes for the situation.

  • The user provides an invalid session
  • The session has expired, for example, in Redis.

Code snippet
The problems occurs here.

// middleware/session/store.go
// Get will get/create a session
func (s *Store) Get(c *fiber.Ctx) (*Session, error) {
        ...
	if loadData {
		raw, err := s.Storage.Get(id)
		// Unmashal if we found data
		if raw != nil && err == nil {
                        ...
		} else if err != nil {
			return nil, err
		} else {
			// raw is nil, which means id is not in the storage
			// so it means that id is not valid (mainly because of id is expired or user provides an invalid id)
			// therefore, we regenerate a id
			sess.fresh = true
			sess.id = s.KeyGenerator()
		}
	}

	return sess, nil
}
@Spedoske Spedoske mentioned this issue Jun 24, 2021
Merged
@ReneWerner87 ReneWerner87 linked a pull request Jun 25, 2021 that will close this issue
Fix: Session middleware issues #1407
Merged
ReneWerner87 pushed a commit that referenced this issue Jun 30, 2021
@Spedoske @hi019
Fix: Session middleware issues (#1407)
e082880 
* Update session.go

Fix: Session.Regenerate does not set Session.fresh to be true.

* Fix: Session should be regenerated if the session can not be found in the storage
#1408

* Add test for session and store in session middleware.

* Clean up code

* Update middleware/session/session.go

Co-authored-by: hi019 <65871571+hi019@users.noreply.github.com>
@natebwangsut natebwangsut mentioned this issue Aug 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
☢️ Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix: Session middleware issues
2 participants
@ReneWerner87 @Spedoske