🚀 [Feature]: SessionOnly when cookie.Expires is 0

[yvestumushimire]

Description

When Cookie Expires is not set default to zero (time.Time{}) is the same as SessionOnly: true

Fixes #2145

Type of change

Please delete options that are not relevant.

• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• This change requires a documentation update

Checklist:

• For new functionalities I follow the inspiration of the express js framework and built them similar in usage
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation - https://github.com/gofiber/docs for https://docs.gofiber.io/
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• If new dependencies exist, I have checked that they are really necessary and agreed with the maintainers/community (we want to have as few dependencies as possible)
• I tried to make my code as fast as possible with as few allocations as possible
• For new code I have written benchmarks so that they can be analyzed and improved

Commit formatting:

Use emojis on commit messages so it provides an easy way of identifying the purpose or intention of a commit. Check out the emoji cheatsheet here: https://gitmoji.carloscuesta.me/

[welcome]

Thanks for opening this pull request! 🎉 Please check out our contributing guidelines. If you need help or want to chat with us, join us on Discord https://gofiber.io/discord

[pjebs]

https://stackoverflow.com/questions/70715904/golang-cookie-max-age-vs-expire

[yvestumushimire]

https://stackoverflow.com/questions/70715904/golang-cookie-max-age-vs-expire

@pjebs Thank you for reference I also find this definition:

Cookies are session cookies if they do not specify the Expires or Max-Age attribute.

I updated my changes.

[ReneWerner87]

shouldn't it rather be adjusted within the session middleware, that as soon as you send 0, the sessionOnly property is used when setting the cookie, instead of adjusting the general feature to set the cookie ?

[ReneWerner87]

@yvestumushimire can you check my last comment

[yvestumushimire]

shouldn't it rather be adjusted within the session middleware, that as soon as you send 0, the sessionOnly property is used when setting the cookie, instead of adjusting the general feature to set the cookie ?

Hello @ReneWerner87 can you please guide where " as soon as you send 0" happens I was thinking setSession method can solve it.

[ReneWerner87]

currently we are changing the way cookies are handled throughout fiber so that it is no longer possible to set the expire of a cookie to 0

by doing this we are limiting the usage for all consumers and this may lead to unexpected behavior

would rather change the logic in setSession

fiber/middleware/session/session.go

Line 188 in c187c6a

func (s *Session) setSession() {

so that when the expire is set to 0 there instead of maxAge and expire the cookie is marked as session only

fiber/middleware/session/session.go

Lines 198 to 199 in c187c6a

	fcookie.SetMaxAge(int(s.exp.Seconds()))
	fcookie.SetExpire(time.Now().Add(s.exp))

fiber/ctx.go

Line 129 in c187c6a

SessionOnly bool `json:"session_only"`

and maybe this place

fiber/middleware/session/session.go

Lines 143 to 145 in c187c6a

	if s.exp <= 0 {
	s.exp = s.config.Expiration
	}

[yvestumushimire]

So if I understand you correctly instead of doing this:

if int(s.exp.Seconds()) != 0 {
			fcookie.SetMaxAge(int(s.exp.Seconds()))
		} else if s.exp != 0 {
			fcookie.SetExpire(time.Now().Add(s.exp))
		}

I should set SessionOnly: true

[ReneWerner87]

So if I understand you correctly instead of doing this:

if int(s.exp.Seconds()) != 0 {
			fcookie.SetMaxAge(int(s.exp.Seconds()))
		} else if s.exp != 0 {
			fcookie.SetExpire(time.Now().Add(s.exp))
		}

I should set SessionOnly: true

yes but in the session middleware files

[pjebs]

Technically, setting Expire to 0 is a deliberate setting to immediately delete the session.

[ReneWerner87]

Yes i know, but maybe someone is doing this instead of the delete and then we produce a breaking change
(because it's not forbidden to do this)

For me the way to solve the bug is in the files of the middleware

[yvestumushimire]

I also saw SessionOnly is fields for Cookie struct and it is not implemented in fasthttp

[ReneWerner87]

i think the feature is not completely thought out and also not 100% perfectly possible

how long should we keep the data in the storage if the cookie is set to the session only setting ?

[pjebs]

how long should we keep the data in the storage if the cookie is set to the session only setting ?

The expiration for the session data is a different concept. There should be a separate setting for that since the cookie expiration and session data expiration are different.

The only requirement should be cookie expiration duration should be <= session data expiration.

[ReneWerner87]

then we would need another setting and should not mix it with the expire flag

and the api creator then decides how long it keeps the data in the storage with sessionOnly?

[ReneWerner87]

@yvestumushimire any progress on the subject ? last statement from me was that we need another setting not to destroy the other because they are actually different settings

and we can't control 2 different things with expire

expire is used to tell the storage how long it should be kept in them
Since sessionOnly or 0 is not a valid value for the storage expire time, this will not be feasible with one config setting.

[yvestumushimire]

Hello @ReneWerner87 I actually get confused and I really need to understand these concepts more. cause the SessionOnly config is already available, and by definition if Expires is not specified "the cookie becomes a session cookie. A session finishes when the client shuts down, after which the session cookie is removed." - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
the idea (my changes) was to make expires as alias for SessionOnly config. I would like your suggestions & guidance on how to do it.

[ReneWerner87]

"Session only" is set if the expire is set to 0, but then the data is not stored in the server.

In my opinion you can't use the expire config setting for the session only feature, because both are different things.

Currently expire time controls how long the data is kept in the backend memory/storage and at the same time how long the session is valid or exists in the browser

"Session only" means, as you said, that the sessionid referencing the backend data is only present until the browser is closed.
But we can't set the expire to 0 for this feature, because at every request of the browser the data behind the referenced session id in the backend storage would be empty.

So we should make expire controllable for storage and session with more than one configuration property

Hope now it is more understandable, otherwise just report again

[yvestumushimire]

@ReneWerner87 Does these latest changes make sense?

[leonklingele]

What's the status of this @efectn @ReneWerner87. PR lgtm.

[welcome]

Congrats on merging your first pull request! 🎉 We here at Fiber are proud of you! If you need help or want to chat with us, join us on Discord https://gofiber.io/discord