[feat] Delete store file when cookies max-age <= 0 (#93)

* Delete store file in case if cookies max-age < 0 * Improve the file path definition in erase function * Protect the session file with mutex in delete func * Delete filesystem session if max-age is <= 0 * Add tests for filesystem store delete function * Extend the doc with the file session deletion. * format source code in store_test.go
gorilla · Sep 17, 2016 · 57a8d1b · 57a8d1b
1 parent 7ab2742
commit 57a8d1b
Show file tree

Hide file tree

Showing 2 changed files with 77 additions and 0 deletions.
diff --git a/store.go b/store.go
@@ -205,8 +205,22 @@ func (s *FilesystemStore) New(r *http.Request, name string) (*Session, error) {
 }
 
 // Save adds a single session to the response.
+//
+// If the Options.MaxAge of the session is <= 0 then the session file will be
+// deleted from the store path. With this process it enforces the properly
+// session cookie handling so no need to trust in the cookie management in the
+// web browser.
 func (s *FilesystemStore) Save(r *http.Request, w http.ResponseWriter,
 	session *Session) error {
+	// Delete if max-age is <= 0
+	if session.Options.MaxAge <= 0 {
+		if err := s.erase(session); err != nil {
+			return err
+		}
+		http.SetCookie(w, NewCookie(session.Name(), "", session.Options))
+		return nil
+	}
+
 	if session.ID == "" {
 		// Because the ID is used in the filename, encode it to
 		// use alphanumeric characters only.
@@ -268,3 +282,14 @@ func (s *FilesystemStore) load(session *Session) error {
 	}
 	return nil
 }
+
+// delete session file
+func (s *FilesystemStore) erase(session *Session) error {
+	filename := filepath.Join(s.path, "session_"+session.ID)
+
+	fileMutex.RLock()
+	defer fileMutex.RUnlock()
+
+	err := os.Remove(filename)
+	return err
+}
diff --git a/store_test.go b/store_test.go
@@ -71,3 +71,55 @@ func TestGH2MaxLength(t *testing.T) {
 		t.Fatal("failed to Save:", err)
 	}
 }
+
+// Test delete filesystem store with max-age: -1
+func TestGH8FilesystemStoreDelete(t *testing.T) {
+	store := NewFilesystemStore("", []byte("some key"))
+	req, err := http.NewRequest("GET", "http://www.example.com", nil)
+	if err != nil {
+		t.Fatal("failed to create request", err)
+	}
+	w := httptest.NewRecorder()
+
+	session, err := store.New(req, "hello")
+	if err != nil {
+		t.Fatal("failed to create session", err)
+	}
+
+	err = session.Save(req, w)
+	if err != nil {
+		t.Fatal("failed to save session", err)
+	}
+
+	session.Options.MaxAge = -1
+	err = session.Save(req, w)
+	if err != nil {
+		t.Fatal("failed to delete session", err)
+	}
+}
+
+// Test delete filesystem store with max-age: 0
+func TestGH8FilesystemStoreDelete2(t *testing.T) {
+	store := NewFilesystemStore("", []byte("some key"))
+	req, err := http.NewRequest("GET", "http://www.example.com", nil)
+	if err != nil {
+		t.Fatal("failed to create request", err)
+	}
+	w := httptest.NewRecorder()
+
+	session, err := store.New(req, "hello")
+	if err != nil {
+		t.Fatal("failed to create session", err)
+	}
+
+	err = session.Save(req, w)
+	if err != nil {
+		t.Fatal("failed to save session", err)
+	}
+
+	session.Options.MaxAge = 0
+	err = session.Save(req, w)
+	if err != nil {
+		t.Fatal("failed to delete session", err)
+	}
+}