Adding work to resolve issue 172: If a user decides to use signed coo…

…kies, only one of the 'koa:sess' cookies are correctly destroyed by the browser when the data is set to 'null'. This change fixes that by ensuring that the maxAge is always set when destroying the cookie, and the 'koa:sess.sig' cookies are also destroyed. Changes: - On destroy, set 'maxAge' to be false - On destroy, set the 'expires' flag to be UNIXTIME epoch, which the 'Cookie' module relies on - Added test case for the cookie time being set Added test to assert that the .sig cookie is expired when 'signed: true'
koajs · Aug 19, 2019 · c28e144 · c28e144
1 parent 10bb122
commit c28e144
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 1 deletion.
diff --git a/lib/context.js b/lib/context.js
@@ -4,6 +4,7 @@ const debug = require('debug')('koa-session:context');
 const Session = require('./session');
 const util = require('./util');
 
+const COOKIE_EXP_DATE = 'Thu, 01 Jan 1970 00:00:00 GMT';
 const ONE_DAY = 24 * 60 * 60 * 1000;
 
 class ContextSession {
@@ -273,7 +274,12 @@ class ContextSession {
    */
 
   async remove() {
-    const opts = this.opts;
+    // Override the default options so that we can properly expire the session cookies
+    const opts = Object.assign({}, this.opts, {
+      expires: new Date(COOKIE_EXP_DATE),
+      maxAge: false,
+    });
+
     const ctx = this.ctx;
     const key = opts.key;
     const externalKey = this.externalKey;

diff --git a/test/cookie.test.js b/test/cookie.test.js
@@ -249,6 +249,47 @@ describe('Koa Session Cookie', () => {
     });
   });
 
+  describe('after session set to null with signed cookie', () => {
+    it('should return expired cookies', done => {
+      const app = App({
+        signed: true,
+      });
+
+      app.use(async function(ctx) {
+        ctx.session.hello = {};
+        ctx.session = null;
+        ctx.body = String(ctx.session === null);
+      });
+
+      request(app.listen())
+        .get('/')
+        .expect('Set-Cookie', /koa:sess=; path=\/; expires=Thu, 01 Jan 1970 00:00:00 GMT/)
+        .expect('Set-Cookie', /koa:sess.sig=(.*); path=\/; expires=Thu, 01 Jan 1970 00:00:00 GMT/)
+        .expect('true')
+        .expect(200, done);
+    });
+  });
+
+  describe('after session set to null without signed cookie', () => {
+    it('should return expired cookies', done => {
+      const app = App({
+        signed: false,
+      });
+
+      app.use(async function(ctx) {
+        ctx.session.hello = {};
+        ctx.session = null;
+        ctx.body = String(ctx.session === null);
+      });
+
+      request(app.listen())
+        .get('/')
+        .expect('Set-Cookie', /koa:sess=; path=\/; expires=Thu, 01 Jan 1970 00:00:00 GMT/)
+        .expect('true')
+        .expect(200, done);
+    });
+  });
+
   describe('when get session after set to null', () => {
     it('should return null', done => {
       const app = App();