Test_Session_Fresh_Flag_Bug() — fiber Function Reference

Source Code

middleware/session/session_test.go lines 1572–1618

func Test_Session_Fresh_Flag_Bug(t *testing.T) {
	t.Parallel()

	store := NewStore()
	app := fiber.New()

	// Test Case 1: First call with no session cookie - should be fresh
	ctx1 := app.AcquireCtx(&fasthttp.RequestCtx{})
	sess1, err := store.Get(ctx1)
	require.NoError(t, err)
	require.True(t, sess1.Fresh(), "First session should be fresh (no cookie provided)")
	sessionID := sess1.ID()
	require.NoError(t, sess1.Save())
	sess1.Release()
	app.ReleaseCtx(ctx1)

	// Test Case 2: Second call with session cookie - should NOT be fresh
	ctx2 := app.AcquireCtx(&fasthttp.RequestCtx{})
	ctx2.Request().Header.SetCookie("session_id", sessionID)
	sess2, err := store.Get(ctx2)
	require.NoError(t, err)
	require.False(t, sess2.Fresh(), "Existing session should not be fresh")
	require.Equal(t, sessionID, sess2.ID())

	// Test Case 3: Call getSession() again in the same request
	// This simulates what happens when CSRF middleware calls store operations
	// The session ID is now in context locals from the first getSession() call
	sess3, err := store.getSession(ctx2)
	require.NoError(t, err)
	require.False(t, sess3.Fresh(), "Session should still not be fresh on second getSession() call in same request")
	require.Equal(t, sessionID, sess3.ID())

	sess2.Release()
	sess3.Release()
	app.ReleaseCtx(ctx2)

	// Test Case 4: Expired session - should generate new ID and be fresh
	ctx3 := app.AcquireCtx(&fasthttp.RequestCtx{})
	ctx3.Request().Header.SetCookie("session_id", "expired-or-nonexistent-id")
	sess4, err := store.Get(ctx3)
	require.NoError(t, err)
	require.True(t, sess4.Fresh(), "New session (after expired/missing data) should be fresh")
	require.NotEqual(t, "expired-or-nonexistent-id", sess4.ID(), "Should have generated a new session ID")

	sess4.Release()
	app.ReleaseCtx(ctx3)
}