go test -run Test_Session_Fresh_Flag_Bug This test verifies the fix for the fresh flag bug where calling getSession() multiple times in the same request would incorrectly mark the session as fresh when the ID was found in context locals.
(t *testing.T)
| 1716 | // multiple times in the same request would incorrectly mark the session as fresh |
| 1717 | // when the ID was found in context locals. |
| 1718 | func Test_Session_Fresh_Flag_Bug(t *testing.T) { |
| 1719 | t.Parallel() |
| 1720 | |
| 1721 | store := NewStore() |
| 1722 | app := fiber.New() |
| 1723 | |
| 1724 | // Test Case 1: First call with no session cookie - should be fresh |
| 1725 | ctx1 := app.AcquireCtx(&fasthttp.RequestCtx{}) |
| 1726 | sess1, err := store.Get(ctx1) |
| 1727 | require.NoError(t, err) |
| 1728 | require.True(t, sess1.Fresh(), "First session should be fresh (no cookie provided)") |
| 1729 | sessionID := sess1.ID() |
| 1730 | require.NoError(t, sess1.Save()) |
| 1731 | sess1.Release() |
| 1732 | app.ReleaseCtx(ctx1) |
| 1733 | |
| 1734 | // Test Case 2: Second call with session cookie - should NOT be fresh |
| 1735 | ctx2 := app.AcquireCtx(&fasthttp.RequestCtx{}) |
| 1736 | ctx2.Request().Header.SetCookie("session_id", sessionID) |
| 1737 | sess2, err := store.Get(ctx2) |
| 1738 | require.NoError(t, err) |
| 1739 | require.False(t, sess2.Fresh(), "Existing session should not be fresh") |
| 1740 | require.Equal(t, sessionID, sess2.ID()) |
| 1741 | |
| 1742 | // Test Case 3: Call getSession() again in the same request |
| 1743 | // This simulates what happens when CSRF middleware calls store operations |
| 1744 | // The session ID is now in context locals from the first getSession() call |
| 1745 | sess3, err := store.getSession(ctx2) |
| 1746 | require.NoError(t, err) |
| 1747 | require.False(t, sess3.Fresh(), "Session should still not be fresh on second getSession() call in same request") |
| 1748 | require.Equal(t, sessionID, sess3.ID()) |
| 1749 | |
| 1750 | sess2.Release() |
| 1751 | sess3.Release() |
| 1752 | app.ReleaseCtx(ctx2) |
| 1753 | |
| 1754 | // Test Case 4: Expired session - should generate new ID and be fresh |
| 1755 | ctx3 := app.AcquireCtx(&fasthttp.RequestCtx{}) |
| 1756 | ctx3.Request().Header.SetCookie("session_id", "expired-or-nonexistent-id") |
| 1757 | sess4, err := store.Get(ctx3) |
| 1758 | require.NoError(t, err) |
| 1759 | require.True(t, sess4.Fresh(), "New session (after expired/missing data) should be fresh") |
| 1760 | require.NotEqual(t, "expired-or-nonexistent-id", sess4.ID(), "Should have generated a new session ID") |
| 1761 | |
| 1762 | sess4.Release() |
| 1763 | app.ReleaseCtx(ctx3) |
| 1764 | } |
| 1765 | |
| 1766 | // go test -run Test_Session_CSRF_Scenario |
| 1767 | // This test simulates the user-reported issue with CSRF + session middleware |
nothing calls this directly
no test coverage detected