refactor(middleware/session): Update session middleware idle timeout

- Update the default idle timeout for session middleware from 24 hours to 30 minutes. - Add a note in the session middleware documentation about the importance of the middleware order.
gofiber · Sep 20, 2024 · 9ec2b30 · 9ec2b30
1 parent 937a9b3
commit 9ec2b30
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 23 deletions.
diff --git a/docs/middleware/session.md b/docs/middleware/session.md
@@ -226,6 +226,10 @@ func (s *Store) GetSessionByID(id string) (*Session, error)
 **Security Notice**: For robust security, especially during sensitive operations like account changes or transactions, consider using CSRF protection. Fiber provides a [CSRF Middleware](https://docs.gofiber.io/api/middleware/csrf) that can be used with sessions to prevent CSRF attacks.
 :::
 
+:::note
+**Middleware Order**: The order of middleware matters. The session middleware should come before any handler or middleware that uses the session (for example, the CSRF middleware).
+:::
+
 ### Middleware Handler (Recommended)
 
 ```go
@@ -395,7 +399,7 @@ func main() {
 | **CookiePath**        | `string`                       | The path scope of the session cookie.                                                      | `"/"`                     |
 | **CookieSameSite**    | `string`                       | The SameSite attribute of the session cookie.                                              | `"Lax"`                   |
 | **IdleTimeout**       | `time.Duration`                | Maximum duration of inactivity before session expires.                                     | `0` (no idle timeout)     |
-| **Expiration**        | `time.Duration`                | Maximum session duration before expiration.                                                | `24 * time.Hour`          |
+| **Expiration**        | `time.Duration`                | Maximum session duration before expiration.                                                | `30 * time.Minute`        |
 | **CookieSecure**      | `bool`                         | Ensures session cookie is only sent over HTTPS.                                            | `false`                   |
 | **CookieHTTPOnly**    | `bool`                         | Ensures session cookie is not accessible to JavaScript (HTTP only).                        | `true`                    |
 | **CookieSessionOnly** | `bool`                         | Prevents session cookie from being saved after the session ends (cookie expires on close). | `false`                   |
@@ -413,8 +417,7 @@ session.Config{
     CookieDomain:      "",
     CookiePath:        "",
     CookieSameSite:    "Lax",
-    IdleTimeout:       24 * time.Hour,
-    Expiration:        24 * time.Hour,
+    IdleTimeout:       30 * time.Minute,
     CookieSecure:      false,
     CookieHTTPOnly:    false,
     CookieSessionOnly: false,

diff --git a/middleware/session/config.go b/middleware/session/config.go
@@ -59,14 +59,9 @@ type Config struct {
 	sessionName string
 
 	// Allowed session idle duration
-	// Optional. Default value 24 * time.Hour
+	// Optional. Default value 30 * time.Minute.
 	IdleTimeout time.Duration
 
-	// TODO: Implement this, or remove and leave it to the user to implement
-	// // Allowed session duration
-	// // Optional. Default value 24 * time.Hour
-	// Expiration time.Duration
-
 	// Indicates if cookie is secure.
 	// Optional. Default value false.
 	CookieSecure bool
@@ -76,7 +71,7 @@ type Config struct {
 	CookieHTTPOnly bool
 
 	// Decides whether cookie should last for only the browser session.
-	// Ignores Expiration if set to true
+	// Ignores IdleTimeout if set to true
 	// Optional. Default value false.
 	CookieSessionOnly bool
 }
@@ -91,7 +86,7 @@ const (
 
 // ConfigDefault is the default config
 var ConfigDefault = Config{
-	IdleTimeout:  24 * time.Hour,
+	IdleTimeout:  30 * time.Minute,
 	KeyLookup:    "cookie:session_id",
 	KeyGenerator: utils.UUIDv4,
 	source:       "cookie",

diff --git a/middleware/session/middleware.go b/middleware/session/middleware.go
@@ -10,12 +10,11 @@ import (
 
 // Middleware defines the session middleware configuration
 type Middleware struct {
-	Session    *Session
-	ctx        *fiber.Ctx
-	config     Config
-	mu         sync.RWMutex
-	hasChanged bool // TODO: use this to optimize interaction with the session store
-	destroyed  bool
+	Session   *Session
+	ctx       *fiber.Ctx
+	config    Config
+	mu        sync.RWMutex
+	destroyed bool
 }
 
 // key for looking up session middleware in request context
@@ -161,7 +160,6 @@ func releaseMiddleware(m *Middleware) {
 	m.Session = nil
 	m.ctx = nil
 	m.destroyed = false
-	m.hasChanged = false
 	m.mu.Unlock()
 	middlewarePool.Put(m)
 }
@@ -201,7 +199,6 @@ func (m *Middleware) Set(key string, value any) {
 	defer m.mu.Unlock()
 
 	m.Session.Set(key, value)
-	m.hasChanged = true
 }
 
 // Get retrieves a value from the session by key.
@@ -235,7 +232,6 @@ func (m *Middleware) Delete(key string) {
 	defer m.mu.Unlock()
 
 	m.Session.Delete(key)
-	m.hasChanged = true
 }
 
 // Destroy destroys the session.
@@ -292,7 +288,6 @@ func (m *Middleware) Reset() error {
 	defer m.mu.Unlock()
 
 	err := m.Session.Reset()
-	m.hasChanged = true
 	return err
 }
 

diff --git a/middleware/session/session.go b/middleware/session/session.go
@@ -292,7 +292,7 @@ func (s *Session) saveSession() error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	// Check if session has your own expiration, otherwise use default value
+	// Check is the session has an idle timeout
 	if s.idleTimeout <= 0 {
 		s.idleTimeout = s.config.IdleTimeout
 	}
@@ -330,7 +330,7 @@ func (s *Session) Keys() []string {
 	return s.data.Keys()
 }
 
-// SetIdleTimeout sets a specific expiration for this session.
+// SetIdleTimeout sets a specific idle timeout for the session.
 //
 // Parameters:
 //   - idleTimeout: The duration for the idle timeout.