sessions icon indicating copy to clipboard operation
sessions copied to clipboard

Published 20 hours ago verified publisher icon gin-contrib

Is the cookie stored in file system?

Open yafeng-Soong opened this issue 3 years ago • 3 comments

When I restart server, I found that old cookie was still work. Is the cookie stored in file system? If so, where the cookie was stored (file path)

yafeng-Soong avatar Jan 24 '22 06:01 yafeng-Soong

I was equally puzzled and wished to know the answer gsessions "github.com/gorilla/sessions" I'm in the source code, and it's based on the file system

18208202069 avatar Apr 06 '22 06:04 18208202069

I don't think FileSystemStore is used in this gin-contrib/sessions, so I assume you are using the cookie-based store.

Here is the Save function for cookie-based store. You can see the session.Values is encoded and saved into the cookie returned to the browser. So technically the session is saved in the client browser :D

// Save adds a single session to the response.
func (s *CookieStore) Save(r *http.Request, w http.ResponseWriter,
	session *Session) error {
	encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
		s.Codecs...)
	if err != nil {
		return err
	}
	http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
	return nil
}

So as long as you use the same secret for the store and the cookie is decode-able, the session will still work. It took me a while to read through the source code and figure it out :D. Hope this will help.

Ragenose avatar Feb 23 '23 06:02 Ragenose

I don't think FileSystemStore is used in this gin-contrib/sessions, so I assume you are using the cookie-based store.

Here is the Save function for cookie-based store. You can see the session.Values is encoded and saved into the cookie returned to the browser. So technically the session is saved in the client browser :D

// Save adds a single session to the response.
func (s *CookieStore) Save(r *http.Request, w http.ResponseWriter,
	session *Session) error {
	encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
		s.Codecs...)
	if err != nil {
		return err
	}
	http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
	return nil
}

So as long as you use the same secret for the store and the cookie is decode-able, the session will still work. It took me a while to read through the source code and figure it out :D. Hope this will help.

Thanks!

yafeng-Soong avatar Feb 23 '23 06:02 yafeng-Soong