Skip to content

fix: session create with expired timestamp #248

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
RainyNight9 merged 5 commits into from
Dec 23, 2025
Merged

fix: session create with expired timestamp #248

RainyNight9 merged 5 commits into from
Dec 23, 2025

Conversation

@luohoufu
Copy link
Contributor

@luohoufu luohoufu commented Dec 23, 2025

What does this PR do

Rationale for this change

Standards checklist

  • The PR title is descriptive
  • The commit messages are semantic
  • Necessary tests are added
  • Updated the release notes
  • Necessary documents have been added if this is a new feature
  • Performance tests checked, no obvious performance degradation

Copilot AI review requested due to automatic review settings December 23, 2025 04:03
Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refactors session handling to fix issues with expired timestamps by introducing a new ForceSetSession function. The change allows for two modes of session recovery: automatic recovery when detecting corrupted sessions, and forced recreation of sessions regardless of their state.

Key changes:

  • Introduces ForceSetSession with a force parameter to control session creation behavior
  • Refactors SetSession to delegate to ForceSetSession with force=false
  • Reorganizes imports to follow Go conventions (standard library before third-party imports)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

core/api/session.go
func SetSession(w http.ResponseWriter, r *http.Request, key string, value interface{}) bool {
return ForceSetSession(w, r, key, value, false)
}

Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new public function ForceSetSession lacks documentation explaining its purpose, parameters, and when the force parameter should be used. Public API functions should have godoc comments describing their behavior.

Suggested change
// ForceSetSession stores the given key/value pair in the current user's session and saves it.
// When force is false, the function attempts to load the existing session identified by the
// node-specific session name and will create a new one only if the stored value is corrupted.
// When force is true, the function always creates a new session instead of loading an existing
// one, which can be useful when the caller wants to reset the session state explicitly.
// It returns true if the session was saved successfully, or false if any error occurred.

Copilot uses AI. Check for mistakes.
core/api/session.go
Comment on lines 119 to 125
if strings.Contains(err.Error(), "the value is not valid") {
log.Warnf("Session corrupted in SetSession, creating new one: %v", err)
session, err = s.New(r, getSessionName())
if err != nil {
log.Warnf("Failed to create new session in SetSession: %v", err)
return false
}
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When force is false and a corrupted session is detected (lines 119-125), the old session cookie is not cleared before creating a new session. This is inconsistent with the force=true path (lines 133-140) and with GetSession (lines 77-84) which both clear the corrupted cookie. This could lead to issues where the old corrupted cookie persists.

Copilot uses AI. Check for mistakes.
core/api/session.go
Comment on lines 105 to 146
func SetSession(w http.ResponseWriter, r *http.Request, key string, value interface{}) bool {
return ForceSetSession(w, r, key, value, false)
}

func ForceSetSession(w http.ResponseWriter, r *http.Request, key string, value interface{}, force bool) bool {
s := getStore()
session, err := s.Get(r, getSessionName())
var (
session *sessions.Session
err error
)
if !force {
session, err = s.Get(r, getSessionName())

if err != nil {
if strings.Contains(err.Error(), "the value is not valid") {
log.Warnf("Session corrupted in SetSession, creating new one: %v", err)
session, err = s.New(r, getSessionName())
if err != nil {
log.Warnf("Failed to create new session in SetSession: %v", err)
if err != nil {
if strings.Contains(err.Error(), "the value is not valid") {
log.Warnf("Session corrupted in SetSession, creating new one: %v", err)
session, err = s.New(r, getSessionName())
if err != nil {
log.Warnf("Failed to create new session in SetSession: %v", err)
return false
}
} else {
log.Warnf("Failed to get session in SetSession: %v", err)
return false
}
} else {
log.Warnf("Failed to get session in SetSession: %v", err)
}
} else {
// Destroy the corrupted session completely
if cookie, err := r.Cookie(getSessionName()); err == nil {
http.SetCookie(w, &http.Cookie{
Name: cookie.Name,
Value: "",
Path: "/",
MaxAge: -1,
})
}
session, err = s.New(r, getSessionName())
if err != nil {
log.Warnf("Failed to create new session in ForceSetSession: %v", err)
return false
}
}
Copy link

Copilot AI Dec 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The new ForceSetSession function and the refactored SetSession logic lack test coverage. Given that tests exist in core/api/api_test.go for other API functionality, this new session handling behavior (especially the force parameter and corrupted session recovery) should be tested to ensure it works correctly.

Copilot uses AI. Check for mistakes.
@RainyNight9 RainyNight9 merged commit eb29244 into main Dec 23, 2025
4 checks passed
@RainyNight9 RainyNight9 deleted the fix-session branch December 23, 2025 07:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@silenceqi silenceqi silenceqi approved these changes

@SteveLauC SteveLauC SteveLauC approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@luohoufu @silenceqi @SteveLauC @RainyNight9 @luohf-infinilabs