MCPcopy
hub / github.com/gofiber/fiber / Test_Session_Fresh_Flag_Bug

Function Test_Session_Fresh_Flag_Bug

middleware/session/session_test.go:1718–1764  ·  view source on GitHub ↗

go test -run Test_Session_Fresh_Flag_Bug This test verifies the fix for the fresh flag bug where calling getSession() multiple times in the same request would incorrectly mark the session as fresh when the ID was found in context locals.

(t *testing.T)

Source from the content-addressed store, hash-verified

1716// multiple times in the same request would incorrectly mark the session as fresh
1717// when the ID was found in context locals.
1718func Test_Session_Fresh_Flag_Bug(t *testing.T) {
1719 t.Parallel()
1720
1721 store := NewStore()
1722 app := fiber.New()
1723
1724 // Test Case 1: First call with no session cookie - should be fresh
1725 ctx1 := app.AcquireCtx(&fasthttp.RequestCtx{})
1726 sess1, err := store.Get(ctx1)
1727 require.NoError(t, err)
1728 require.True(t, sess1.Fresh(), "First session should be fresh (no cookie provided)")
1729 sessionID := sess1.ID()
1730 require.NoError(t, sess1.Save())
1731 sess1.Release()
1732 app.ReleaseCtx(ctx1)
1733
1734 // Test Case 2: Second call with session cookie - should NOT be fresh
1735 ctx2 := app.AcquireCtx(&fasthttp.RequestCtx{})
1736 ctx2.Request().Header.SetCookie("session_id", sessionID)
1737 sess2, err := store.Get(ctx2)
1738 require.NoError(t, err)
1739 require.False(t, sess2.Fresh(), "Existing session should not be fresh")
1740 require.Equal(t, sessionID, sess2.ID())
1741
1742 // Test Case 3: Call getSession() again in the same request
1743 // This simulates what happens when CSRF middleware calls store operations
1744 // The session ID is now in context locals from the first getSession() call
1745 sess3, err := store.getSession(ctx2)
1746 require.NoError(t, err)
1747 require.False(t, sess3.Fresh(), "Session should still not be fresh on second getSession() call in same request")
1748 require.Equal(t, sessionID, sess3.ID())
1749
1750 sess2.Release()
1751 sess3.Release()
1752 app.ReleaseCtx(ctx2)
1753
1754 // Test Case 4: Expired session - should generate new ID and be fresh
1755 ctx3 := app.AcquireCtx(&fasthttp.RequestCtx{})
1756 ctx3.Request().Header.SetCookie("session_id", "expired-or-nonexistent-id")
1757 sess4, err := store.Get(ctx3)
1758 require.NoError(t, err)
1759 require.True(t, sess4.Fresh(), "New session (after expired/missing data) should be fresh")
1760 require.NotEqual(t, "expired-or-nonexistent-id", sess4.ID(), "Should have generated a new session ID")
1761
1762 sess4.Release()
1763 app.ReleaseCtx(ctx3)
1764}
1765
1766// go test -run Test_Session_CSRF_Scenario
1767// This test simulates the user-reported issue with CSRF + session middleware

Callers

nothing calls this directly

Calls 12

GetMethod · 0.95
getSessionMethod · 0.95
NewStoreFunction · 0.85
AcquireCtxMethod · 0.80
ReleaseCtxMethod · 0.80
NewMethod · 0.65
FreshMethod · 0.65
RequestMethod · 0.65
IDMethod · 0.45
SaveMethod · 0.45
ReleaseMethod · 0.45
SetCookieMethod · 0.45

Tested by

no test coverage detected