🔥 feat: Add ExpireCookie method for cookies with Path/Domain

[darwin808]

Summary

• Adds ExpireCookie(cookie Cookie) method to properly expire cookies that were set with specific Path or Domain attributes
• Updates ClearCookie documentation to note its limitation with Path/Domain cookies

Fixes #2878

Problem

ClearCookie() does not work for cookies that were set with specific Path or Domain attributes. This is because browsers require matching attributes to properly clear a cookie (per RFC 6265). The underlying fasthttp.DelClientCookie does not support setting these attributes.

Solution

Added a new ExpireCookie(cookie Cookie) method that allows specifying the Path, Domain, Secure, and HTTPOnly attributes when expiring a cookie. This ensures the browser properly matches and clears it.

// Before: Workaround required
c.Cookie(&fiber.Cookie{
    Name:    "token",
    Expires: time.Now().Add(-time.Hour),
    Path:    "/admin",
    Domain:  "example.com",
})

// After: Clean solution
c.Res().ExpireCookie(fiber.Cookie{
    Name:   "token",
    Path:   "/admin",
    Domain: "example.com",
})

Test plan

• Added unit tests for ExpireCookie with various attribute combinations (path, domain, secure, httponly)
• All existing cookie tests pass
• Updated documentation with examples

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

Walkthrough

Adds ExpireCookie(cookie *Cookie) to Ctx and Res; implements it on DefaultRes to expire cookies by matching Name, Path, Domain, Secure, HTTPOnly, SameSite, and Partitioned while overwriting Value and Expires; adds tests and docs and clarifies ClearCookie limitations. (≤50 words)

Changes

Cohort / File(s)	Summary
Interfaces \ctx_interface_gen.go`, `res_interface_gen.go``	Added ExpireCookie(cookie *Cookie) method signatures to Ctx and Res; clarified ClearCookie docs to note it does not handle Domain/Path-specific cookies and recommends ExpireCookie.
Response implementation \res.go``	Added func (r *DefaultRes) ExpireCookie(cookie *Cookie) that builds a fasthttp.Cookie, clears Value, sets an expired Expires, applies Path, Domain, Secure, HTTPOnly, SameSite, and Partitioned rules (forcing Secure where required), and writes it to the response header. Also adjusted Cookie(cookie *Cookie) to enforce Secure when Partitioned is true.
Tests \ctx_test.go``	Added Test_Ctx_ExpireCookie verifying Set-Cookie output for cookies with Path, Domain, Path+Domain, Secure, HttpOnly, SameSite variants (Strict/Lax/None), and Partitioned; removed test asserting Partitioned-without-Secure (auto-fixed).
Docs \docs/api/ctx.md``	Documented ExpireCookie(cookie *Cookie) API, usage examples covering Path, Domain, Secure, HTTPOnly, SameSite, Partitioned, and a note listing which Cookie fields are used when expiring.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• 🧹 chore: Improve Cookie() validation #3546 — modifies cookie serialization/validation and Partitioned/SameSite/Secure handling relevant to ExpireCookie behavior.
• ✨ v3 (feature): add CHIPS support to Cookie #3047 — introduces Cookie.Partitioned handling and CHIPS-related semantics reused here.

Suggested labels

📒 Documentation, 📜 RFC Compliance

Suggested reviewers

• gaby
• sixcolors
• ReneWerner87
• efectn

Poem

🐰 I hopped through code at break of day,
I nudged the cookie crumbs away.
Path, Domain, SameSite set just right,
I set their clocks to fade tonight.
Farewell, small crumb — I hop in light.

Pre-merge checks and finishing touches

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: adding an ExpireCookie method specifically for handling cookies with Path/Domain attributes, which is the primary focus of this PR.
Description check	✅ Passed	The description is well-structured with summary, problem statement, solution, code examples, and test plan, covering most template requirements including documentation updates and unit tests.
Linked Issues check	✅ Passed	The PR fully addresses issue #2878 by implementing ExpireCookie with support for Path, Domain, Secure, HTTPOnly, SameSite, and Partitioned attributes, allowing proper cookie expiration as required.
Out of Scope Changes check	✅ Passed	All changes are directly related to implementing ExpireCookie and its supporting infrastructure (interfaces, tests, documentation). The auto-enforcement of Secure=true for Partitioned cookies is a necessary supporting change aligned with CHIPS spec.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate docstrings

---

📜 Recent review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ebb04fc and ab2fd70.

📒 Files selected for processing (2)

• ctx_test.go
• res.go

🚧 Files skipped from review as they are similar to previous changes (1)

• ctx_test.go

🧰 Additional context used

📓 Path-based instructions (1)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Prefer github.com/gofiber/utils/v2 helpers (for example, utils.Trim) when performing common operations such as string manipulation, whenever it is practical and appropriate for the surrounding code

Files:

• res.go

🧠 Learnings (4)

📓 Common learnings

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

📚 Learning: 2025-07-19T14:06:29.884Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3598
File: docs/middleware/csrf.md:37-42
Timestamp: 2025-07-19T14:06:29.884Z
Learning: In Fiber v3, the CookieSameSite constants use lowercase values: CookieSameSiteLaxMode = "lax", CookieSameSiteStrictMode = "strict", CookieSameSiteNoneMode = "none". Documentation examples should use lowercase string values or the typed constants, not capitalized strings like "Lax".

Applied to files:

• res.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Applied to files:

• res.go

📚 Learning: 2025-07-17T11:39:38.265Z

Learnt from: ReneWerner87
Repo: gofiber/fiber PR: 3564
File: client/cookiejar.go:128-130
Timestamp: 2025-07-17T11:39:38.265Z
Learning: In the fasthttp library, the `Cookie.CopyTo(src *Cookie)` method copies the source cookie (parameter) to the receiver cookie, so `nc.CopyTo(c)` copies cookie `c` into cookie `nc`.

Applied to files:

• res.go

🧬 Code graph analysis (1)

res.go (1)

constants.go (3)

• CookieSameSiteStrictMode (315-315)
• CookieSameSiteNoneMode (316-316)
• CookieSameSiteLaxMode (314-314)

🔇 Additional comments (3)

res.go (3)

204-206: Clear documentation improvement!

The added note correctly explains ClearCookie's limitation with Path/Domain attributes and directs users to ExpireCookie for those cases. This helps prevent confusion when cookies don't clear as expected.

---

221-267: Excellent implementation of ExpireCookie!

The method correctly handles all cookie attributes needed for browser matching (Name, Path, Domain, Secure, HTTPOnly, SameSite, Partitioned). The auto-enforcement of Secure=true for both SameSite=None (line 250) and Partitioned (line 260) ensures compliance with RFC 6265bis and CHIPS spec.

The use of utils.EqualFold for case-insensitive SameSite comparison is appropriate per coding guidelines, and the memory management with fasthttp.AcquireCookie/ReleaseCookie is correct.

All previous review concerns about SameSite and Partitioned support have been addressed.

---

303-306: Good addition of Partitioned enforcement!

This correctly enforces Secure=true when Partitioned=true per the CHIPS spec, ensuring consistency between the Cookie() and ExpireCookie() methods. The placement before http.Cookie creation (line 309) ensures the validation sees the enforced value.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @darwin808, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the framework's cookie management capabilities by introducing a dedicated ExpireCookie method. This new functionality resolves a long-standing issue where the ClearCookie method was unable to properly expire cookies that were initially set with specific Path or Domain attributes, a common requirement for secure and precise cookie handling. By allowing the explicit specification of these attributes during expiration, the framework now fully complies with browser standards, providing developers with a more robust and intuitive way to manage client-side cookies.

Highlights

• New ExpireCookie Method: Introduced a new ExpireCookie(cookie Cookie) method to correctly expire cookies that were set with specific Path or Domain attributes, addressing a limitation of the existing ClearCookie method.
• Enhanced Cookie Expiration: The new method allows specifying Name, Path, Domain, Secure, and HTTPOnly attributes, ensuring proper cookie expiration according to RFC 6265 requirements.
• Updated ClearCookie Documentation: The documentation for ClearCookie has been updated to explicitly note its limitation with cookies that have specific Path or Domain attributes, guiding users to the new ExpireCookie method for such cases.
• Comprehensive Unit Tests: Added extensive unit tests for ExpireCookie covering various attribute combinations (path, domain, secure, httponly) to ensure its reliability and correctness.
• API Documentation and Examples: The API documentation (docs/api/ctx.md) has been updated with detailed explanations, signature, and practical examples for the new ExpireCookie method, including a comparison to the previous workaround.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a new ExpireCookie method to correctly expire cookies with specific Path or Domain attributes, addressing a limitation in the existing ClearCookie method. The implementation is a good start, but it's missing support for SameSite and Partitioned attributes, which are crucial for expiring modern cookies correctly. I've provided suggestions to add this functionality, update the corresponding documentation, and enhance the unit tests for better coverage and maintainability.

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

ctx_test.go (1)

4506-4562: Solid coverage for ExpireCookie; consider a couple of small assertions

The test exercises the important combinations (Path, Domain, Path+Domain, Secure+HttpOnly) and verifies the Set-Cookie line in a robust, order‑independent way. Two optional tightenings you might consider:

• Also assert require.Contains(t, setCookie, "expires=") in the Domain and Path+Domain (and possibly Secure+HttpOnly) cases, so every variant explicitly checks that the cookie is actually expired, not just that attributes are present.
• Optionally add a single scenario that calls c.ExpireCookie(...) instead of c.Res().ExpireCookie(...) to exercise the Ctx helper as well as the Res method.

Using Response().Header.Peek(HeaderSetCookie) with string matching is consistent with the established pattern of manually inspecting Set-Cookie in Fiber tests, instead of relying on Header.Cookie. Based on learnings, ...

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 789c56f and 2a2f69c.

📒 Files selected for processing (5)

• ctx_interface_gen.go
• ctx_test.go
• docs/api/ctx.md
• res.go
• res_interface_gen.go

🧰 Additional context used

📓 Path-based instructions (4)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Prefer github.com/gofiber/utils/v2 helpers (for example, utils.Trim) when performing common operations such as string manipulation, whenever it is practical and appropriate for the surrounding code

Files:

• ctx_interface_gen.go
• res.go
• ctx_test.go
• res_interface_gen.go

docs/**

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

• docs/api/ctx.md

**/*.md

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Run make markdown to lint all Markdown files when modifying code

Files:

• docs/api/ctx.md

**/*_test.go

📄 CodeRabbit inference engine (AGENTS.md)

When adding Go tests, always invoke t.Parallel() at the start of each test and subtest to maximize concurrency

Files:

• ctx_test.go

🧠 Learnings (8)

📓 Common learnings

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-07-01T03:44:03.672Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:22-25
Timestamp: 2024-10-08T19:06:06.583Z
Learning: The `encryptcookie_test.go` file contains unit tests that validate key lengths for both `EncryptCookie` and `DecryptCookie` functions, ensuring that invalid key lengths raise appropriate errors.

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:22-25
Timestamp: 2024-07-02T13:29:56.992Z
Learning: The `encryptcookie_test.go` file contains unit tests that validate key lengths for both `EncryptCookie` and `DecryptCookie` functions, ensuring that invalid key lengths raise appropriate errors.

📚 Learning: 2024-09-25T15:57:10.221Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Applied to files:

• ctx_interface_gen.go
• res.go
• docs/api/ctx.md
• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:22-25
Timestamp: 2024-10-08T19:06:06.583Z
Learning: The `encryptcookie_test.go` file contains unit tests that validate key lengths for both `EncryptCookie` and `DecryptCookie` functions, ensuring that invalid key lengths raise appropriate errors.

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3051
File: middleware/session/session.go:215-216
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Parallel tests for `Session.Save` already exist in the `middleware/session/session_test.go` file, specifically in the `Test_Session_Save` and `Test_Session_Save_Expiration` functions.

Applied to files:

• ctx_test.go

📚 Learning: 2024-07-01T03:33:22.283Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-07-01T03:33:22.283Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-12T10:01:44.206Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/session/middleware_test.go:190-191
Timestamp: 2024-10-12T10:01:44.206Z
Learning: When testing session `IdleTimeout` expiration, it's acceptable to use `time.Sleep` to simulate the passage of time in tests.

Applied to files:

• ctx_test.go

📚 Learning: 2024-11-29T12:37:27.581Z

Learnt from: efectn
Repo: gofiber/fiber PR: 3162
File: app_test.go:893-895
Timestamp: 2024-11-29T12:37:27.581Z
Learning: In the `Test_App_ShutdownWithContext` function in `app_test.go`, the `clientDone` channel is used to synchronize the client's request completion before proceeding, eliminating the need for additional `time.Sleep` calls.

Applied to files:

• ctx_test.go

🧬 Code graph analysis (2)

ctx_interface_gen.go (3)

res.go (1)

• Cookie (104-116)

client/request.go (1)

• Cookie (778-778)

bind_test.go (2)

• Cookie (1512-1516)
• Cookie (1757-1761)

ctx_test.go (3)

res_interface_gen.go (1)

• Res (13-174)

res.go (1)

• Cookie (104-116)

constants.go (1)

• HeaderSetCookie (197-197)

🔇 Additional comments (5)

res_interface_gen.go (1)

21-34: ClearCookie note and ExpireCookie API look consistent and clear

The new documentation accurately scopes ClearCookie’s limitations and positions ExpireCookie as the attribute-aware alternative; the ExpireCookie signature is minimal and consistent with the Cookie struct fields.

ctx_interface_gen.go (1)

327-340: Ctx-level ExpireCookie matches Res API and clarifies ClearCookie behavior

Adding ExpireCookie to Ctx with matching docs keeps the public surface coherent and clearly directs users away from ClearCookie for Domain/Path-specific cookies.

docs/api/ctx.md (2)

1743-1774: LGTM! Clear documentation of ClearCookie limitations.

The updated caution note and reference to ExpireCookie provide excellent guidance for developers who need to clear cookies with specific Path or Domain attributes.

---

1775-1813: LGTM! Comprehensive and well-structured documentation.

The ExpireCookie documentation is excellent:

• Clear method signature and description
• Practical examples covering common scenarios
• Important note about which Cookie fields are actually used

This will help developers properly expire cookies with Path/Domain attributes.

res.go (1)

202-219: LGTM! Documentation accurately reflects the limitation.

The updated ClearCookie documentation correctly notes that it cannot clear cookies with specific Path or Domain attributes, and appropriately directs users to ExpireCookie for those cases.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.63%. Comparing base (789c56f) to head (ab2fd70).
⚠️ Report is 8 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3976      +/-   ##
==========================================
- Coverage   91.67%   91.63%   -0.04%     
==========================================
  Files         119      119              
  Lines       10206    10290      +84     
==========================================
+ Hits         9356     9429      +73     
- Misses        538      544       +6     
- Partials      312      317       +5     

Flag	Coverage Δ
unittests	91.63% <100.00%> (-0.04%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[darwin808]

The CI failure in Test_App_Test_Goroutine_Leak_Compare is unrelated to this PR's changes. This test checks goroutine leak behavior in app.Test() and is sensitive to system load/timing during CI runs.

The test expected <10 leaked goroutines but got 14, which can vary based on:

• Concurrent test execution
• GC timing
• System background processes

Could a maintainer please re-run CI? The ExpireCookie changes only affect cookie handling and don't touch the app.Test() code path.

[gaby]

@darwin808 Don't use force push, we can't see what's changing between commits. Makes reviewing harder.

[gaby]

@darwin808 Tag me once the comments raised as addressed. Thanks 💪

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

docs/api/ctx.md (1)

1806-1810: Consider using the typed constant in documentation for consistency.

The example uses the string literal "Strict" which works correctly due to case-insensitive matching. For documentation clarity, you might consider showing the constant usage alongside the string literal, since users might import and use fiber.CookieSameSiteStrictMode.

// Using the constant:
c.Res().ExpireCookie(&fiber.Cookie{
    Name:     "csrf",
    SameSite: fiber.CookieSameSiteStrictMode,
})

This is a minor suggestion for consistency with how the codebase defines these values.

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cf04f3f and c715d6a.

📒 Files selected for processing (5)

• ctx_interface_gen.go
• ctx_test.go
• docs/api/ctx.md
• res.go
• res_interface_gen.go

🚧 Files skipped from review as they are similar to previous changes (2)

• res_interface_gen.go
• ctx_test.go

🧰 Additional context used

📓 Path-based instructions (3)

docs/**

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

• docs/api/ctx.md

**/*.md

📄 CodeRabbit inference engine (.github/copilot-instructions.md)

Run make markdown to lint all Markdown files when modifying code

Files:

• docs/api/ctx.md

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Prefer github.com/gofiber/utils/v2 helpers (for example, utils.Trim) when performing common operations such as string manipulation, whenever it is practical and appropriate for the surrounding code

Files:

• ctx_interface_gen.go
• res.go

🧠 Learnings (3)

📓 Common learnings

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

📚 Learning: 2024-09-25T15:57:10.221Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Applied to files:

• docs/api/ctx.md
• res.go

📚 Learning: 2025-07-19T14:06:29.884Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3598
File: docs/middleware/csrf.md:37-42
Timestamp: 2025-07-19T14:06:29.884Z
Learning: In Fiber v3, the CookieSameSite constants use lowercase values: CookieSameSiteLaxMode = "lax", CookieSameSiteStrictMode = "strict", CookieSameSiteNoneMode = "none". Documentation examples should use lowercase string values or the typed constants, not capitalized strings like "Lax".

Applied to files:

• docs/api/ctx.md
• ctx_interface_gen.go
• res.go

🧬 Code graph analysis (2)

ctx_interface_gen.go (2)

res.go (1)

• Cookie (104-116)

client/request.go (1)

• Cookie (778-778)

res.go (3)

bind_test.go (2)

• Cookie (1512-1516)
• Cookie (1757-1761)

constants.go (3)

• CookieSameSiteStrictMode (315-315)
• CookieSameSiteNoneMode (316-316)
• CookieSameSiteLaxMode (314-314)

client/response.go (1)

• Response (19-25)

🔇 Additional comments (4)

res.go (2)

204-206: LGTM!

Clear documentation update that properly warns users about the ClearCookie limitation for cookies with Domain/Path attributes and directs them to use ExpireCookie.

---

221-265: Well-implemented cookie expiration with full attribute support.

The implementation correctly handles:

• Path and Domain matching for proper cookie deletion per RFC 6265
• SameSite attribute with case-insensitive comparison
• Partitioned cookies (CHIPS)
• Auto-enforcement of Secure=true when SameSite=None or Partitioned=true per browser requirements

The Acquire/Release pattern for fasthttp cookies is correctly used, and the deferred release ensures cleanup.

ctx_interface_gen.go (1)

329-340: LGTM!

The interface definition correctly mirrors the implementation. The documentation properly notes all fields used (Name, Path, Domain, Secure, HTTPOnly, SameSite, Partitioned) and clarifies that Value/Expires are overwritten.

docs/api/ctx.md (1)

1773-1824: Comprehensive documentation for the new ExpireCookie API.

The examples effectively demonstrate all supported use cases:

• Path-specific cookies
• Domain-specific cookies
• Security flags (Secure, HTTPOnly)
• SameSite attribute
• Partitioned cookies (CHIPS)

The note block clearly explains which fields are consumed and that Value/Expires are overwritten.

[darwin808]

@gaby Addressed the review comments - added SameSite and Partitioned support, updated docs, and refactored tests to table-driven style.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

ctx_test.go (1)

4506-4598: Solid ExpireCookie coverage; consider releasing acquired contexts.

The table‑driven test nicely exercises Path/Domain, SameSite variants, Secure/HTTPOnly, and Partitioned behavior with parallel subtests, which aligns well with the new API.

Minor nit: each subtest calls app.AcquireCtx(&fasthttp.RequestCtx{}) but never releases the context. For consistency with other tests and better pool hygiene, consider:

Suggested cleanup

-			app := New()
-			c := app.AcquireCtx(&fasthttp.RequestCtx{})
+			app := New()
+			c := app.AcquireCtx(&fasthttp.RequestCtx{})
+			defer app.ReleaseCtx(c)

📜 Review details

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c715d6a and 48bf4ad.

📒 Files selected for processing (2)

• ctx_test.go
• res.go

🧰 Additional context used

📓 Path-based instructions (2)

**/*.go

📄 CodeRabbit inference engine (AGENTS.md)

Prefer github.com/gofiber/utils/v2 helpers (for example, utils.Trim) when performing common operations such as string manipulation, whenever it is practical and appropriate for the surrounding code

Files:

• res.go
• ctx_test.go

**/*_test.go

📄 CodeRabbit inference engine (AGENTS.md)

When adding Go tests, always invoke t.Parallel() at the start of each test and subtest to maximize concurrency

Files:

• ctx_test.go

🧠 Learnings (9)

📓 Common learnings

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

📚 Learning: 2025-07-19T14:06:29.884Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3598
File: docs/middleware/csrf.md:37-42
Timestamp: 2025-07-19T14:06:29.884Z
Learning: In Fiber v3, the CookieSameSite constants use lowercase values: CookieSameSiteLaxMode = "lax", CookieSameSiteStrictMode = "strict", CookieSameSiteNoneMode = "none". Documentation examples should use lowercase string values or the typed constants, not capitalized strings like "Lax".

Applied to files:

• res.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using `ctx.Response.Header.Cookie` may not be suitable for parsing cookies from the response header, as it requires a `*Cookie` and fills it rather than returning a string value; thus, manual parsing of the `Set-Cookie` header may be necessary.

Applied to files:

• res.go
• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:22-25
Timestamp: 2024-10-08T19:06:06.583Z
Learning: The `encryptcookie_test.go` file contains unit tests that validate key lengths for both `EncryptCookie` and `DecryptCookie` functions, ensuring that invalid key lengths raise appropriate errors.

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Applied to files:

• ctx_test.go

📚 Learning: 2024-07-01T03:33:22.283Z

Learnt from: gaby
Repo: gofiber/fiber PR: 3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-07-01T03:33:22.283Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-08T19:06:06.583Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3051
File: middleware/session/session.go:215-216
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Parallel tests for `Session.Save` already exist in the `middleware/session/session_test.go` file, specifically in the `Test_Session_Save` and `Test_Session_Save_Expiration` functions.

Applied to files:

• ctx_test.go

📚 Learning: 2025-12-07T15:07:23.885Z

Learnt from: CR
Repo: gofiber/fiber PR: 0
File: AGENTS.md:0-0
Timestamp: 2025-12-07T15:07:23.885Z
Learning: Applies to **/*_test.go : When adding Go tests, always invoke `t.Parallel()` at the start of each test and subtest to maximize concurrency

Applied to files:

• ctx_test.go

📚 Learning: 2024-10-12T10:01:44.206Z

Learnt from: sixcolors
Repo: gofiber/fiber PR: 3016
File: middleware/session/middleware_test.go:190-191
Timestamp: 2024-10-12T10:01:44.206Z
Learning: When testing session `IdleTimeout` expiration, it's acceptable to use `time.Sleep` to simulate the passage of time in tests.

Applied to files:

• ctx_test.go

🧬 Code graph analysis (1)

ctx_test.go (3)

res.go (1)

• Cookie (104-116)

constants.go (3)

• CookieSameSiteStrictMode (315-315)
• CookieSameSiteLaxMode (314-314)
• CookieSameSiteNoneMode (316-316)

res_interface_gen.go (1)

• Res (13-174)

🔇 Additional comments (1)

res.go (1)

202-207: ExpireCookie implementation and docs align with the intended semantics.

The ClearCookie comment accurately documents its Path/Domain limitation, and DefaultRes.ExpireCookie correctly:

• Constructs a deletion cookie ("" value, CookieExpireDelete).
• Mirrors Path/Domain, when provided.
• Applies SameSite via case‑insensitive compare, and forces Secure for SameSite=None and Partitioned cookies.
• Preserves/overrides only the documented fields and emits the header via SetCookie.

This matches the new Res/Ctx interface contract and the RFC/best‑practice requirements around SameSite=None and partitioned cookies. I don’t see further changes needed here.

Also applies to: 221-267

[ReneWerner87]

@darwin808 can you check my hint