clear cookie if non-existent session.

This commit is contained in:
Miroslav Šedivý 2021-03-25 10:29:28 +01:00
parent da1d073846
commit bf6181764b
4 changed files with 13 additions and 16 deletions

View File

@ -69,10 +69,12 @@ func (api *ApiManagerCtx) Authenticate(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
session, err := api.sessions.Authenticate(r) session, err := api.sessions.Authenticate(r)
if err != nil { if err != nil {
api.sessions.CookieClearToken(w, r)
utils.HttpUnauthorized(w, err) utils.HttpUnauthorized(w, err)
} else { return
next.ServeHTTP(w, auth.SetSession(r, session))
} }
next.ServeHTTP(w, auth.SetSession(r, session))
}) })
} }

View File

@ -49,7 +49,7 @@ func (api *ApiManagerCtx) Logout(w http.ResponseWriter, r *http.Request) {
return return
} }
api.sessions.CookieClearToken(w) api.sessions.CookieClearToken(w, r)
utils.HttpSuccess(w, true) utils.HttpSuccess(w, true)
} }

View File

@ -25,20 +25,15 @@ func (manager *SessionManagerCtx) CookieSetToken(w http.ResponseWriter, token st
}) })
} }
func (manager *SessionManagerCtx) CookieClearToken(w http.ResponseWriter) { func (manager *SessionManagerCtx) CookieClearToken(w http.ResponseWriter, r *http.Request) {
sameSite := http.SameSiteDefaultMode cookie, err := r.Cookie(manager.config.CookieName)
if manager.config.CookieSecure { if err != nil {
sameSite = http.SameSiteNoneMode return
} }
http.SetCookie(w, &http.Cookie{ cookie.Value = ""
Name: manager.config.CookieName, cookie.Expires = time.Unix(0, 0)
Value: "", http.SetCookie(w, cookie)
Expires: time.Unix(0, 0),
Secure: manager.config.CookieSecure,
SameSite: sameSite,
HttpOnly: true,
})
} }
func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session, error) { func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session, error) {

View File

@ -51,6 +51,6 @@ type SessionManager interface {
ImplicitHosting() bool ImplicitHosting() bool
CookieSetToken(w http.ResponseWriter, token string) CookieSetToken(w http.ResponseWriter, token string)
CookieClearToken(w http.ResponseWriter) CookieClearToken(w http.ResponseWriter, r *http.Request)
Authenticate(r *http.Request) (Session, error) Authenticate(r *http.Request) (Session, error)
} }