Updating session expiry time?

179 views
Skip to first unread message

Hippo Man

unread,
Jun 3, 2019, 6:47:33 PM6/3/19
to Gorilla web toolkit

I know how to use gorilla to manage sessions. But what I'm trying to accomplish is to set the session expiry time to a later date at run time, depending upon various application conditions. I haven't been able to figure out how to update this expiry time.


Consider the following code fragment ...


    skey  := "some sort of secret key"
    sname := "some sort of session name"

    session_store := sessions.NewCookieStore([]byte(skey))
    session_store.Options = &sessions.Options{                                                                                        
        MaxAge: 300,                                                                                                       
    }

    // `r` is previously defined as the current *http.Request
    sess, err := session_store.Get(r, sname)

As written, sess will expire 300 seconds after it was initialized. But how can I extend the lifetime of sess before this much time passes, so that its expiry will then occur at a later time?


Thank you in advance.


Stephen Michaelis

unread,
Jun 3, 2019, 7:26:31 PM6/3/19
to Gorilla web toolkit
Hello, 

someone please correct me if I am wrong, 

when you save your session in your code somewhere, provided the cookie is not already expired, it should update the cookie (http.SetCookie) on the client with a new cookie that has a new expiry of current time + MaxAge

func (ms *MongoStore) Save(r *http.Request, w http.ResponseWriter, session *sessions.Session) error {
    
    ...

    // update cookie
    encoded, err := securecookie.EncodeMulti(session.Name(), session.ID, ms.Codecs...)
    if err != nil {
        return err
    }
    http.SetCookie(w, sessions.NewCookie(session.Name(), encoded, session.Options))

    ...

    return nil
}



Matt S

unread,
Jun 3, 2019, 7:37:42 PM6/3/19
to goril...@googlegroups.com
Correct - "save" writes a "fresh" cookie out.

--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/gorilla-web/7f3e38bc-8e84-49fb-a42c-27849725b190%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Hippo Man

unread,
Jun 3, 2019, 7:38:14 PM6/3/19
to Gorilla web toolkit
Thank you.

If this is the case, then I'm still missing the functionality I want, but for a different reason.

To be specific, this is what I want to accomplish ...

(1) Create a session with a certain MaxAge ... say, 900 seconds.
Let's say I do this at 9:00 AM. With that given MaxAge, the session will expire at 9:15 AM.

(2) Change and save data within the session as many times as I want.
I do not want the expiry time to go past 9:15 AM.

(3) Before 9:15 AM, I want to reset the session to expire at, say, 9:30 AM.

(4) Then, change and save data within the session as many times as I want.
I now want the session to expire at 9:30 AM, no matter how many times I change and save the data.

Note that I'm talking about a specific session that is managed via given session store.

Is this scenario possible under gorilla?

Matt S

unread,
Jun 3, 2019, 7:52:30 PM6/3/19
to goril...@googlegroups.com
It is not - if you save the cookie, then it will set the Expiry to now() + MaxAge.

Can you expand on _why_ you want that functionality? You could always save an "expiresAt" value in the cookie and read that / validate that separately from the HTTP cookie mechanism.



--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.

Hippo Man

unread,
Jun 3, 2019, 7:52:55 PM6/3/19
to Gorilla web toolkit
Also ... is it possible to query a given session to find out its expiry time, or alterntively, the amount of time remaining until MaxAge is reached?

Note that I'm creating the given session via ...

      sess, err := session_store.Get(r, sname)

I specifically want to query sess to find either its expiration time or the amount of time remaining before expiry.


Matt S

unread,
Jun 3, 2019, 7:56:24 PM6/3/19
to goril...@googlegroups.com
MaxAge is a HTTP cookie parameter - if the cookie is "expired" the browser will no longer send it (it's effectively deleted). As a server, you can't see the remaining expiry time - either the cookie is unexpired and the client sends it, or it does not.

(Again, part of the HTTP cookie spec).

Store an "expiresAt" key in your session.Values if you really need to determine this.

--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.

Hippo Man

unread,
Jun 3, 2019, 7:59:50 PM6/3/19
to Gorilla web toolkit

On Monday, June 3, 2019 at 7:52:30 PM UTC-4, Matt S wrote:
Can you expand on _why_ you want that functionality?

I want to create a login session and store application-specific variables within the session object for as long as the login is active. The values of some of these variables could change, based upon the way the user interacts with the application, but I don't want the storing of these values to affect the lifetime of the session.

One of the functions available to the user of the application is to request an extension of the login session. Only then would I want the session's expiry time to change.

I am already storing my equivalent of an `expiresAt` value and force-ending the session whenever that time is reached, and I am optionally allowing the user to extend that time ... so I know I can implement my desired functionality this way. I was just hoping there would be a way to manage this within gorilla itself.

I now see that this is not possible, so I'll just stick with my current implementation.

Hippo Man

unread,
Jun 3, 2019, 8:16:45 PM6/3/19
to Gorilla web toolkit
In my not-too-ample spare time, I'm going to try to write a session layer that sits "above" the github.com/gorilla/sessions package.

It will have some wrapper functions around gorilla's functions for session creation, session access, session saving, etc.

These wrapper functions will create sessions with a huge (or possibly infinite) MaxAge, and they will create an expiresAt attribute within each session.
Every time the session is accessed in any way via these wrapper functions (getting/setting/querying session variables, etc.), this expiresAt value will be queried, and if it's earlier than the current time, the session will be immediately force-expired.

I will also supply a wrapper function to modify the expiresAt attribute.

Given the small amount of spare time I have, this is going to take a while to implement. But it will be fun! ... and useful.


Matt S

unread,
Jun 3, 2019, 8:48:58 PM6/3/19
to goril...@googlegroups.com
Wouldn’t this just be a wrapper over save() that  takes an additional argument - and uses the aforementioned expiresAt to track it? I don’t think that would be too complicated.

func saveSession(sess *sessions.Session, w http.ResponseWriter, r *http.Request, extendExpiry bool) error

I am still concerned you’re overthinking this though - if your expiresAt value is earlier than now() - why wouldn’t you set MaxAge to match this?

--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.

Hippo Man

unread,
Jun 3, 2019, 9:24:23 PM6/3/19
to Gorilla web toolkit
The wrapper around sessionstore.Get would take an int64 expiresAt parameter, and it would set that parameter within the returned session object (after saving).

I would also write a mysession.Get(name) which returns session.Values[name], but before doing so, it would check expiresAt and fail if it is earlier than the current time.

I would write something called mysession.Set(name, value) which does a session.Values[name] = value, but also checks expiresAt first and fails if that time has passed.

And yes, I would also do that expiresAt test within the wrapper around session.Save

And I would write a session.SetExpires which just sets expiresAt to a new value.

And the mechanism I would use to "fail" (i.e., "force expire" the session) when expiresAt is earlier than now is simply to set MaxAge to -1.

But all this logic would be encapsulated within my wrapper functions, so I don't have to think about the details any more, once this is implemented.
Reply all
Reply to author
Forward
0 new messages