Skip to content

Fix session cookie issues (#626, #549)#631

Open
tphakala wants to merge 2 commits intomarkbates:masterfrom
tphakala:fix/session-cookie-issues-626-549
Open

Fix session cookie issues (#626, #549)#631
tphakala wants to merge 2 commits intomarkbates:masterfrom
tphakala:fix/session-cookie-issues-626-549

Conversation

@tphakala
Copy link

@tphakala tphakala commented Dec 25, 2025

Summary

This PR fixes two related session cookie issues:

Root Cause Analysis

Issue #626: Duplicate Set-Cookie Headers

In CompleteUserAuth, the execution flow was:

  1. StoreInSession (line 207) → saves session → first Set-Cookie header (valid, 30 days)
  2. Function returns → defer Logout executes → second Set-Cookie header (expires 1970)

The browser received both cookies, with the expired one overriding the valid one.

Issue #549: Hash Key Error

The library pinned to old gorilla/securecookie v1.1.1 which silently accepted empty SESSION_SECRET. After users upgraded dependencies, securecookie v1.1.2+ properly validates hash keys, causing the error.

Changes

  1. Removed unnecessary StoreInSession call in CompleteUserAuth

    • The session is only used during OAuth flow and is cleared by Logout anyway
    • This prevents the duplicate Set-Cookie headers

  2. Upgraded dependencies

    • github.com/gorilla/sessions v1.1.1 → v1.4.0
    • github.com/gorilla/securecookie v1.1.1 → v1.1.2

  3. Added tests

    • Test_CompleteUserAuth_SingleSetCookie: Verifies only one Set-Cookie header
    • Test_StoreInSession_ReturnsErrorOnSaveFailure: Verifies error propagation
    • Test_GetAuthURL_PropagatesSessionErrors: Verifies end-to-end error handling

Test plan

  • All existing tests pass
  • New tests verify the fixes
  • go vet passes
  • Full test suite (go test ./...) passes

Fixes #626
Fixes #549

@tphakala
Fix session cookie issues (markbates#626, markbates#549)
15ece9c 
This commit fixes two related session cookie issues:

1. Issue markbates#626: Duplicate Set-Cookie headers
   - CompleteUserAuth was calling StoreInSession before the deferred Logout
   - This caused two Set-Cookie headers: one valid, one expired (1970)
   - The browser received both, with the expired one overriding the valid one
   - Fix: Remove the unnecessary StoreInSession call since Logout clears the session anyway

2. Issue markbates#549: "securecookie: hash key is not set" after dependency upgrade
   - Upgraded gorilla/sessions v1.1.1 → v1.4.0
   - Upgraded gorilla/securecookie v1.1.1 → v1.1.2
   - The newer securecookie properly validates hash keys instead of silently failing
   - Error propagation was already working correctly

Tests added:
- Test_CompleteUserAuth_SingleSetCookie: Verifies only one Set-Cookie header
- Test_StoreInSession_ReturnsErrorOnSaveFailure: Verifies error propagation
- Test_GetAuthURL_PropagatesSessionErrors: Verifies end-to-end error handling

Fixes markbates#626
Fixes markbates#549
@tphakala tphakala mentioned this pull request Dec 25, 2025
Merged
@tphakala
Add golangci-lint to CI workflow
eb05b2f 
- Add lint job to CI workflow using golangci-lint-action v6
- Add .golangci.yml configuration file
- Configure linter to pass on gothic/ package
- Exclude common false positives (fmt.Fprint*, defer Close, etc.)
- Add nolint directive for deferred Logout call
- Upgrade actions/cache to v4

Note: Providers have legacy linter issues that are out of scope
for this change. The gothic/ core package passes lint cleanly.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Session Cookie not setting correctly Updating dependencies breaks login: securecookie: hash key is not set

1 participant

@tphakala