diff options
Diffstat (limited to 'web/session')
| -rw-r--r-- | web/session/session.go | 26 |
1 files changed, 17 insertions, 9 deletions
diff --git a/web/session/session.go b/web/session/session.go index 9f7cedde..c171c1d0 100644 --- a/web/session/session.go +++ b/web/session/session.go @@ -7,6 +7,7 @@ import ( "net/http" "github.com/mhsanaei/3x-ui/v2/database/model" + "github.com/mhsanaei/3x-ui/v2/logger" "github.com/gin-contrib/sessions" "github.com/gin-gonic/gin" @@ -20,14 +21,16 @@ func init() { gob.Register(model.User{}) } -// SetLoginUser stores the authenticated user in the session. -// The user object is serialized and stored for subsequent requests. -func SetLoginUser(c *gin.Context, user *model.User) { +// SetLoginUser stores the authenticated user in the session and persists it. +// gin-contrib/sessions does not auto-save; callers that forget Save() leave +// the cookie out of sync with server state — this helper avoids that pitfall. +func SetLoginUser(c *gin.Context, user *model.User) error { if user == nil { - return + return nil } s := sessions.Default(c) s.Set(loginUserKey, *user) + return s.Save() } // GetLoginUser retrieves the authenticated user from the session. @@ -40,22 +43,26 @@ func GetLoginUser(c *gin.Context) *model.User { } user, ok := obj.(model.User) if !ok { - + // Stale or incompatible session payload — wipe and persist immediately + // so subsequent requests don't keep hitting the same broken cookie. s.Delete(loginUserKey) + if err := s.Save(); err != nil { + logger.Warning("session: failed to drop stale user payload:", err) + } return nil } return &user } // IsLogin checks if a user is currently authenticated in the session. -// Returns true if a valid user session exists, false otherwise. func IsLogin(c *gin.Context) bool { return GetLoginUser(c) != nil } -// ClearSession removes all session data and invalidates the session. -// This effectively logs out the user and clears any stored session information. -func ClearSession(c *gin.Context) { +// ClearSession invalidates the session and tells the browser to drop the cookie. +// The cookie attributes (Path/HttpOnly/SameSite) must mirror those used when +// the cookie was created or browsers will keep it. +func ClearSession(c *gin.Context) error { s := sessions.Default(c) s.Clear() cookiePath := c.GetString("base_path") @@ -68,4 +75,5 @@ func ClearSession(c *gin.Context) { HttpOnly: true, SameSite: http.SameSiteLaxMode, }) + return s.Save() } |