From c188056f64be268dda8f7c16e23f7ef9c90d014f Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Mon, 20 Apr 2026 14:00:18 +0200 Subject: Centralize session options and adjust cookies Configure session cookie options centrally in initRouter and remove per-login MaxAge handling. Deleted SetMaxAge helper and its use in the login flow; session.Options are now applied once using basePath with HttpOnly and SameSite defaults, and MaxAge is set only when the stored setting is available and >0. Also make CookieManager.setCookie treat exdays as optional (only add expires when provided) and stop using a hardcoded 150-day expiry for the lang cookie in the JS language manager. Co-Authored-By: Alireza Ahmadi --- web/session/session.go | 12 ------------ 1 file changed, 12 deletions(-) (limited to 'web/session') diff --git a/web/session/session.go b/web/session/session.go index 63da426b..95b85227 100644 --- a/web/session/session.go +++ b/web/session/session.go @@ -31,18 +31,6 @@ func SetLoginUser(c *gin.Context, user *model.User) { s.Set(loginUserKey, *user) } -// SetMaxAge configures the session cookie maximum age in seconds. -// This controls how long the session remains valid before requiring re-authentication. -func SetMaxAge(c *gin.Context, maxAge int) { - s := sessions.Default(c) - s.Options(sessions.Options{ - Path: defaultPath, - MaxAge: maxAge, - HttpOnly: true, - SameSite: http.SameSiteLaxMode, - }) -} - // GetLoginUser retrieves the authenticated user from the session. // Returns nil if no user is logged in or if the session data is invalid. func GetLoginUser(c *gin.Context) *model.User { -- cgit v1.2.3