Sessions: Removing a session when FilesystemStore is used

Created on 27 Jan 2017  ·  3Comments  ·  Source: gorilla/sessions

Hi, first thanks for this package, it's really easy to use.

Problem

If I understand correctly, when using the filesystem store for the sessions, the session cookies the client gets only contain the IDs of the sessions (as it is not a CookieStore). The backend retrieves up on an http request the session from the filesystem and loads it into memory (or once in-memory and keeps it for subsequent requests).

Why isn't there a function to remove sessions from the filesystem store/in-memory?

My current scenario is following; When a user logs out, I want the session to be deleted:

  • the session file must be deleted
  • the next request with the provided session cookie will be invalid as no matching session can be found

However, right now as long as I never change the private key for signing cookies, the session will be valid forever.

I could work around this problem by having a flag on the session object indicating wether the session is still valid but that would leave me with manually having to remove the sessions from the filesystem store.

Request

Is it possible to add a function like filesystemStore.RemoveSession(id string) to let the store clean the session from the filesystem and in-memory loaded sessions?

documentation
Source
picture luca-moser

Most helpful comment

Setting sess.MaxAge(-1) and then calling sess.Save will delete the session: https://github.com/gorilla/sessions/blob/master/store.go#L213-L223

Docs here: http://www.gorillatoolkit.org/pkg/sessions#FilesystemStore.Save

Save adds a single session to the response.

If the Options.MaxAge of the session is <= 0 then the session file will be deleted from the store path. With this process it enforces the properly session cookie handling so no need to trust in the cookie management in the web browser.

Hope that clarifies.

picture elithrar on 27 Jan 2017
👍5

All 3 comments

Setting sess.MaxAge(-1) and then calling sess.Save will delete the session: https://github.com/gorilla/sessions/blob/master/store.go#L213-L223

Docs here: http://www.gorillatoolkit.org/pkg/sessions#FilesystemStore.Save

Save adds a single session to the response.

If the Options.MaxAge of the session is <= 0 then the session file will be deleted from the store path. With this process it enforces the properly session cookie handling so no need to trust in the cookie management in the web browser.

Hope that clarifies.

elithrar picture elithrar on 27 Jan 2017
👍5

Closing - please re-open if you have any questions!

elithrar picture elithrar on 29 Jan 2017

Wondering how to handle the case with obsolete session files, e.g. some session is authenticated in browser private mode and later, obviously, wouldn't come back to logout and give signal for session file removal, are there any recommended way to handle such a case?

extphy picture extphy on 30 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

elithrar picture elithrar  ·  25Comments
CasperHK picture CasperHK  ·  11Comments
marksalpeter picture marksalpeter  ·  17Comments
danvonk picture danvonk  ·  9Comments
cless picture cless  ·  23Comments