Setting "domain" in session cookie

amitmahajan82 · October 28, 2023, 2:50pm

Hello,

I am using gin with gin-contrib/sessions for session management. With this session management package, session cookie is going in the response, but I am not able set “domain” in the cookie due to some bug in gin-contrib/sessions. Is there any other package that can be used for session management, but allows to set “domain” in the session cookie?

Thanks
Amit

ditchx · October 29, 2023, 8:41am

Setting the domain name via Options() seems to be working fine:

	store := cookie.NewStore([]byte("secret"))
	store.Options(sessions.Options{Domain: "yourdomain.com"})

Modified example from GitHub - gin-contrib/sessions: Gin middleware for session management :

https://www.screencast.com/t/imca3bisCAWQ

Setting the cookie domain to “bar.com” makes the cookie accessible from its subdomains like “foo.bar.com” and “baz.bar.com”. Setting it to a subdomain such as “foo.bar.com” makes the cookie accessible only on that subdomain.

amitmahajan82 · October 30, 2023, 12:09am

Thanks Rolan for the reply.

I am following the same approach, but instead of cookies package, I am using Redis for storing the session. At my end, it doesn’t work with Redis, Set-Cookie in HTTP response contains: Set-Cookie: mysession=; Domain=dev.com i.e. mysession is empty. It works fine for me if I use cookie store.

Please have a look at the following code, does it work for you?

package main

import (
“GitHub - gin-contrib/sessions: Gin middleware for session management”
“github.com/gin-contrib/sessions/redis”
“GitHub - gin-gonic/gin: Gin is a HTTP web framework written in Go (Golang). It features a Martini-like API with much better performance -- up to 40 times faster. If you need smashing performance, get yourself some Gin.”
)

func main() {
r := gin.Default()
store, _ := redis.NewStore(10, “tcp”, “localhost:6379”, “”, byte(“secret”))
store.Options(sessions.Options{Domain: “dev.com”})

r.Use(sessions.Sessions(“mysession”, store))

r.GET(“/incr”, func(c *gin.Context) {
session := sessions.Default(c)
var count int
v := session.Get(“count”)
if v == nil {
count = 0
} else {
count = v.(int)
count++
}
session.Set(“count”, count)
session.Save()
c.JSON(200, gin.H{“count”: count})
})
r.Run(“:8000”)
}

ditchx · October 30, 2023, 2:05pm

Since we are passing a new sessions.Options{} struct and the MaxAge was not set an explicit value, it uses a zero-value instead, overwriting the default that was set when the store was created, possibly causing the MaxAge to be set to zero and automatically expiring your session:

github.com

boj/redistore/blob/master/redistore.go#L206


      
          }
          
          // NewRediStoreWithPool instantiates a RediStore with a *redis.Pool passed in.
          func NewRediStoreWithPool(pool *redis.Pool, keyPairs ...[]byte) (*RediStore, error) {
          	rs := &RediStore{
          		// http://godoc.org/github.com/gomodule/redigo/redis#Pool
          		Pool:   pool,
          		Codecs: securecookie.CodecsFromPairs(keyPairs...),
          		Options: &sessions.Options{
          			Path:   "/",
          			MaxAge: sessionExpire,
          		},
          		DefaultMaxAge: 60 * 20, // 20 minutes seems like a reasonable default
          		maxLength:     4096,
          		keyPrefix:     "session_",
          		serializer:    GobSerializer{},
          	}
          	_, err := rs.ping()
          	return rs, err
          }

Try specifying a MaxAge for session expiration along with the domain. MaxAge default used by the lib was set to 30 days, so you can use that.

	store.Options(sessions.Options{Domain: "dev.com", MaxAge: 86400 * 30})

I haven’t dug deep to see if you also need to set the Path to “/”, but I think it uses “/” if the Path is empty.

amitmahajan82 · November 3, 2023, 12:00am

Thanks Rolan, it worked. However, Path and Max Age had to be set explicitly in session options.

system · February 1, 2024, 12:01am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.