[BUG] Session is not destroyed in request cookie and so not recreated

[mblaschke]

Describe the bug
When trying to regenerate a session (destroy & start again in same request) it isn't working anymore with iris v12.2.0-beta1

To Reproduce

package main

import (
	"github.com/kataras/iris/v12"

	"github.com/kataras/iris/v12/sessions"
)

const cookieNameForSessionID = "session_id_cookie"

var sess *sessions.Sessions

func secret(ctx iris.Context) {
	// Check if user is authenticated
	if auth, _ := sessions.Get(ctx).GetBoolean("authenticated"); !auth {
		ctx.StatusCode(iris.StatusForbidden)
		return
	}

	// Print secret message
	ctx.WriteString("The cake is a lie!")
}

func login(ctx iris.Context) {
	session := sessions.Get(ctx)

        sess.Destroy(ctx)
        session = sess.Start(ctx)
	// Authentication goes here
	// ...

	// Set user as authenticated
	session.Set("authenticated", true)
}

func logout(ctx iris.Context) {
	session := sessions.Get(ctx)

	// Revoke users authentication
	session.Set("authenticated", false)
}

func main() {
	app := iris.New()
	sess = sessions.New(sessions.Config{
		Cookie: cookieNameForSessionID,
		// CookieSecureTLS: true,
		AllowReclaim: true,
	})
	app.Use(sess.Handler())
	// ^ or comment this line and use sess.Start(ctx) inside your handlers
	// instead of sessions.Get(ctx).

	app.Get("/secret", secret)
	app.Get("/login", login)
	app.Get("/logout", logout)

	app.Listen(":8080")
}

iris v12.1.8 response headers for /login:

Set-Cookie: session_id_cookie=; Path=/; Domain=localhost; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0
Set-Cookie: session_id_cookie=983fdcd2-c625-4854-8548-d90fdd5a2f3b; Path=/; Domain=localhost; Expires=Mon, 04 Mar 2047 01:07:52 GMT; Max-Age=784688398; HttpOnly; SameSite=Lax

iris v12.2.0-beta1 response headers for /login:

Set-Cookie: session_id_cookie=; Path=/; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0; HttpOnly

iris @master response headers for /login (also wrong order?):

Set-Cookie: session_id_cookie=49e6457d-5735-40f5-b928-868cae3a945e; Path=/; Domain=localhost; Expires=Mon, 04 Mar 2047 01:11:48 GMT; Max-Age=784688345; HttpOnly; SameSite=Lax
Set-Cookie: session_id_cookie=; Path=/; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=0; HttpOnly

Expected behavior
Session is cleared (also invalidated in request cookies?) and a new session is created
and only one Set-Cookie header is sent

Desktop (please complete the following information):

• OS: osx

iris.Version

• v12.2.0-beta1

Additional context
or implement a way to recreate the session

[kataras]

Hello @mblaschke,

I don't understand, what's the use case of that code snippet? Share with me the final goal, what you want to achieve, so I can come back with a better solution than re-creating a session twice in the same request-response lifecycle.

	session := sessions.Get(ctx)

	sess.Destroy(ctx)
	session = sess.Start(ctx)

Why session := sessions.Get(ctx) and then session = sess.Start(ctx) (session is unused), while this handler already wrapped with a session middeware on main function app.Use(sess.Handler())?

[mblaschke]

use case: regenerate the session id for login/privilege change

so i want to destroy the old session, and start a fresh session (and copy over some data)

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change

[kataras]

Fixed @mblaschke :) Thanks for the link/reminder though. Update to @master: go get github.com/kataras/iris/v12@master and run go mod tidy -compat=1.18.