clear cookie if non-existent session.

internal/api/router.go

@@ -69,10 +69,12 @@ func (api *ApiManagerCtx) Authenticate(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		session, err := api.sessions.Authenticate(r)
 		if err != nil {
+			api.sessions.CookieClearToken(w, r)
 			utils.HttpUnauthorized(w, err)
-		} else {
-			next.ServeHTTP(w, auth.SetSession(r, session))
+			return
 		}
+
+		next.ServeHTTP(w, auth.SetSession(r, session))
 	})
 }
 

internal/api/session.go

@@ -49,7 +49,7 @@ func (api *ApiManagerCtx) Logout(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	api.sessions.CookieClearToken(w)
+	api.sessions.CookieClearToken(w, r)
 
 	utils.HttpSuccess(w, true)
 }

internal/session/auth.go

@@ -25,20 +25,15 @@ func (manager *SessionManagerCtx) CookieSetToken(w http.ResponseWriter, token st
 	})
 }
 
-func (manager *SessionManagerCtx) CookieClearToken(w http.ResponseWriter) {
-	sameSite := http.SameSiteDefaultMode
-	if manager.config.CookieSecure {
-		sameSite = http.SameSiteNoneMode
+func (manager *SessionManagerCtx) CookieClearToken(w http.ResponseWriter, r *http.Request) {
+	cookie, err := r.Cookie(manager.config.CookieName)
+	if err != nil {
+		return
 	}
 
-	http.SetCookie(w, &http.Cookie{
-		Name:     manager.config.CookieName,
-		Value:    "",
-		Expires:  time.Unix(0, 0),
-		Secure:   manager.config.CookieSecure,
-		SameSite: sameSite,
-		HttpOnly: true,
-	})
+	cookie.Value = ""
+	cookie.Expires = time.Unix(0, 0)
+	http.SetCookie(w, cookie)
 }
 
 func (manager *SessionManagerCtx) Authenticate(r *http.Request) (types.Session, error) {

internal/types/session.go

@@ -51,6 +51,6 @@ type SessionManager interface {
 	ImplicitHosting() bool
 
 	CookieSetToken(w http.ResponseWriter, token string)
-	CookieClearToken(w http.ResponseWriter)
+	CookieClearToken(w http.ResponseWriter, r *http.Request)
 	Authenticate(r *http.Request) (Session, error)
 }