Golang Gorilla/session(Gorilla会话)

huangapple go评论87阅读模式
英文:

Golang Gorilla/session

问题

我正在尝试构建一个带有用户登录功能的简单Web应用程序。

我在这里的另一篇帖子中找到了这个函数。

func initSession(r *http.Request) *sessions.Session {
    session, _ := store.Get(r, "mBoxStore")
    if session.IsNew {
        session.Options.Domain = "localhost"
        session.Options.MaxAge = 10
        session.Options.HttpOnly = false
        session.Options.Secure = false
        log.Println("Create New Session (cookie)")
    } else {
        log.Println("Use Old Session (old cookie)")
    }
    return session
}

这个cookie在10秒后过期,但是当我在页面上重新加载之后,例如1分钟后,它会使用旧的(过期的)cookie。

在我的浏览器(Firefox)中,我看到的cookie具有正确的过期日期。

我认为它应该创建一个带有新cookie的新会话,或者这样做是错误的吗?

有什么建议吗?

英文:

I'm trying to build a simple web application with a user login.

I found this function in another post here.

func initSession(r *http.Request) *sessions.Session {
	session, _ := store.Get(r, "mBoxStore")
	if session.IsNew {
		session.Options.Domain = "localhost"
		session.Options.MaxAge = 10
		session.Options.HttpOnly = false
		session.Options.Secure = false
		log.Println("Create New Session (cookie)")
	} else {
		log.Println("Use Old Session (old cookie)")
	}
	return session
}

The cookie expires after 10 seconds, but when i reload the page after e.g. 1 Minute
it use the old (expired) cookie.

In my browser (Firefox) i see the cookie with the right expire date.

I think it should create a new session with a new cookie or it is wrong ?

any tips ?

答案1

得分: 4

你看到“Use Old Session (old cookie)”的原因是因为会话选项仅在创建cookie时设置。每次在cookie过期之前(isNew == false)访问cookie时,选项都不会被设置,而是使用默认值覆盖了你在创建会话时设置的值。默认的MaxAge86400 * 30(一个月)。

你可以通过以下步骤验证这一点:

  1. 清除该站点(例如localhost)的所有cookie。
  2. 在浏览器中打开一个路由。
  3. 检查新创建的cookie的过期日期-你会发现它是当前时间加上10秒。
  4. 等待10秒钟。
  5. 刷新页面-你的日志应该确认这是一个新的cookie。
  6. 现在在cookie过期之前(即在10秒内)刷新页面。
  7. 你会发现过期时间变成了当前时间加上1个月(默认值)。

这就是为什么我建议在应用程序启动时设置会话选项一次。只有在为了身份验证安全目的设置较短的cookie生存期时才会有所不同,并且在这些情况下使用不同的会话名称(例如_csrf_token,生存期为4小时)。

你正在使用的代码片段也不是很理想,因为它完全忽略了在尝试检索会话时遇到的任何错误。如果底层的会话存储损坏或用户禁用了cookie,你可能会遇到错误。

英文:

The reason you're seeing Use Old Session (old cookie) is because the session options are only being set when the cookie is first created. Each time you access the cookie before it expires (isNew == false) Options are not being set, and the defaults are overriding those you set on creation of the session. The default MaxAge is 86400 * 30 (one month).

You can verify this by:

  1. Clearing all cookies for the site (i.e. localhost)
  2. Bringing up a route in your browser
  3. Checking the expiry date on the freshly created cookie - you'll see it's now + 10 seconds
  4. Wait out that 10 seconds.
  5. Refresh the page - your log should confirm it's a new cookie.
  6. Now refresh the page before the cookie expires (i.e. within 10 seconds)
  7. You'll see the expiry has an expiry of now + 1 month (the default).

This is why I suggest setting your session options once, on application startup. Only deviate if you are setting shorter cookie lifetimes for authentication security purposes, and in those cases use a different session name (i.e. _csrf_token with an expiry of 4 hours).

The code snippet you're using isn't really ideal either as it completely ignores any errors encountered when trying to retrieve a session. You might run into errors if your underlying session store is broken, and/or the user has cookies disabled.

huangapple
  • 本文由 发表于 2014年2月17日 02:27:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/21815520.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定