authboss icon indicating copy to clipboard operation
authboss copied to clipboard
verified publisher icon volatiletech

Clear cookie and redirect to login page when cookie expired instead of returning 500?

Open raven-chen opened this issue 6 years ago • 3 comments

It is reasonable behavior for the cookie expired user to login again. rather than see a 500 page?

raven-chen avatar May 15 '19 03:05 raven-chen

See my comment to your comment about the behavior of your Cookie/Session storers.

aarondl avatar May 20 '19 20:05 aarondl

Hi @aarondl

Yes, do not return error on LoadClientState is a working approach. but it is more like the middleware's responsibility to handle the error. I'm thinking of doing something like

func (a *Authboss) LoadClientStateMiddleware(h http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		writer := a.NewResponse(w)
		request, err := a.LoadClientState(writer, r)
		if err != nil {
			logger := a.RequestLogger(r)
			logger.Errorf("failed to load client state %+v", err)

			DelAllSession(w, []string{})
			http.Redirect(w, r, a.Paths.LogoutOk, http.StatusUnauthorized)
		}

		h.ServeHTTP(writer, request)
	})
}

Or even more, we can define a callback function, like OnCookieError and invoke it here.

anyway, I think an appropriate way is to delete cookie and redirect to login page with some text like “your login credential is out-of-date, please login again“. What do you think?

raven-chen avatar May 22 '19 01:05 raven-chen

That's possible too I guess. I think that'd also be fine.

aarondl avatar Jul 13 '19 02:07 aarondl