From c188056f64be268dda8f7c16e23f7ef9c90d014f Mon Sep 17 00:00:00 2001 From: MHSanaei Date: Mon, 20 Apr 2026 14:00:18 +0200 Subject: Centralize session options and adjust cookies Configure session cookie options centrally in initRouter and remove per-login MaxAge handling. Deleted SetMaxAge helper and its use in the login flow; session.Options are now applied once using basePath with HttpOnly and SameSite defaults, and MaxAge is set only when the stored setting is available and >0. Also make CookieManager.setCookie treat exdays as optional (only add expires when provided) and stop using a hardcoded 150-day expiry for the lang cookie in the JS language manager. Co-Authored-By: Alireza Ahmadi --- web/web.go | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'web/web.go') diff --git a/web/web.go b/web/web.go index 47f58beb..81868d36 100644 --- a/web/web.go +++ b/web/web.go @@ -207,14 +207,15 @@ func (s *Server) initRouter() (*gin.Engine, error) { store := cookie.NewStore(secret) // Configure default session cookie options, including expiration (MaxAge) - if sessionMaxAge, err := s.settingService.GetSessionMaxAge(); err == nil { - store.Options(sessions.Options{ - Path: "/", - MaxAge: sessionMaxAge * 60, // minutes -> seconds - HttpOnly: true, - SameSite: http.SameSiteLaxMode, - }) + sessionOptions := sessions.Options{ + Path: basePath, + HttpOnly: true, + SameSite: http.SameSiteLaxMode, } + if sessionMaxAge, err := s.settingService.GetSessionMaxAge(); err == nil && sessionMaxAge > 0 { + sessionOptions.MaxAge = sessionMaxAge * 60 // minutes -> seconds + } + store.Options(sessionOptions) engine.Use(sessions.Sessions("3x-ui", store)) engine.Use(func(c *gin.Context) { c.Set("base_path", basePath) -- cgit v1.2.3