So I was writing a backend using Go, and while I was testing the login/logout function I noticed that if I try to access a page with an expired cookie I'm allowed to do so. This happens only if I use a faulty client, because if I use my browser it works correctly, which I guess means that the cookie is deleted from the web-browser but not from my back-end.
I've tested different solutions, but nothing seems to work, what I've noticed is this: I've taken note of the pointer of the map which maps the cookies and I've noticed that despite setting "authenticated" value to false when the faulty client tries to access the page the map has its value set to true.
this is the middle ware that handles pages in which the user should be logged in and this should block the faulty client from logging in because "authenticated" value from session-handler should be false ( but it is true, despite being set to false before )
func (s *server) loggedInOnly(handlerFunc http.HandlerFunc) http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
session, _ := s.store.Get(request, "session-handler")
log.Printf("loggedInOnly: %p %v", &session.Values, session.Values)
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
http.Error(writer, "Forbidden", http.StatusForbidden)
return
}
handlerFunc(writer, request)
}
}
this is the logout function which should delete the cookie ( but it doesn't delete it internally )
func (s *server) handleLogout() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
session, _ := s.store.Get(request, "session-handler")
session.Values["authenticated"] = false
session.Options.MaxAge = -1
session.Save(request, writer)
log.Printf("logout: %p, %v", &session.Values, session.Values)
fmt.Fprint(writer, "Succesfully logged out")
log.Printf("%v was logged out", writer)
}
}
and this is the login function
func (s *server) handleLogin() http.HandlerFunc {
return func(writer http.ResponseWriter, request *http.Request) {
log.Printf("handle login called")
session, _ := s.store.Get(request, "session-handler")
// can login or not
session.Values["authenticated"] = true
session.Save(request, writer)
Success(writer, "successfully logged in")
}
}
I should expect the cookie to be invalid from my webserver so that when the faulty client tries to reconnect authenticated is set to false and he shouldn't be able to access loggedInOnly pages, instead I he can because authenticated value is set to true ( despite being set to false right before ).
these are the logs:
2019/01/05 17:00:00 loggedInOnly: 0xc0421960b0 map[authenticated:true]
2019/01/05 17:00:00 logout: 0xc0421960b0, map[authenticated:false]
2019/01/05 17:00:01 loggedInOnly: 0xc0420a4560 map[authenticated:true]
2019/01/05 17:00:01 logout: 0xc0420a4560, map[authenticated:false]
as you can see "authenticated" is set before to false then immediatly after it is true despite nothing happening in between