From 8fded5f86d685c48c51546a1e5ec32aadbc12a39 Mon Sep 17 00:00:00 2001
From: corebreaker <frederic.meyer.77@gmail.com>
Date: Wed, 2 Aug 2017 09:40:54 +0300
Subject: [PATCH] Test decoded cookie for empty strings

Fixes up issue #698.
The input of `decodeCookieValue` is tested in case of there is an empty string, so then its output really reflect the validity of the input.
It takes in consideration that underlying decoder can unvalidate the cookie.

Former-commit-id: a82cccfe1c252c68ceeb4126ea43495fa2cdf96d
---
 sessions/sessions.go | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/sessions/sessions.go b/sessions/sessions.go
index eead9553..13ad6ec5 100644
--- a/sessions/sessions.go
+++ b/sessions/sessions.go
@@ -101,7 +101,7 @@ func (s *Sessions) updateCookie(sid string, ctx context.Context, expires time.Du
 
 // Start should start the session for the particular request.
 func (s *Sessions) Start(ctx context.Context) *Session {
-	cookieValue := GetCookie(ctx, s.config.Cookie)
+	cookieValue := s.decodeCookieValue(GetCookie(ctx, s.config.Cookie))
 
 	if cookieValue == "" { // cookie doesn't exists, let's generate a session and add set a cookie
 		sid := s.config.SessionIDGenerator()
@@ -114,7 +114,6 @@ func (s *Sessions) Start(ctx context.Context) *Session {
 		return sess
 	}
 
-	cookieValue = s.decodeCookieValue(cookieValue)
 	sess := s.provider.Read(cookieValue, s.config.Expires)
 
 	return sess
@@ -127,12 +126,11 @@ func (s *Sessions) ShiftExpiraton(ctx context.Context) {
 
 // UpdateExpiraton change expire date of a session to a new date by using timeout value passed by `expires` parameter
 func (s *Sessions) UpdateExpiraton(ctx context.Context, expires time.Duration) {
-	cookieValue := GetCookie(ctx, s.config.Cookie)
+	cookieValue := s.decodeCookieValue(GetCookie(ctx, s.config.Cookie))
 
 	if cookieValue != "" {
-		sid := s.decodeCookieValue(cookieValue)
-		if s.provider.UpdateExpiraton(sid, expires) {
-			s.updateCookie(sid, ctx, expires)
+		if s.provider.UpdateExpiraton(cookieValue, expires) {
+			s.updateCookie(cookieValue, ctx, expires)
 		}
 	}
 }
@@ -172,7 +170,12 @@ func (s *Sessions) DestroyAll() {
 
 // let's keep these funcs simple, we can do it with two lines but we may add more things in the future.
 func (s *Sessions) decodeCookieValue(cookieValue string) string {
+	if cookieValue == "" {
+		return ""
+	}
+
 	var cookieValueDecoded *string
+
 	if decode := s.config.Decode; decode != nil {
 		err := decode(s.config.Cookie, cookieValue, &cookieValueDecoded)
 		if err == nil {
@@ -181,6 +184,7 @@ func (s *Sessions) decodeCookieValue(cookieValue string) string {
 			cookieValue = ""
 		}
 	}
+
 	return cookieValue
 }