3x-ui/web/session/session.go

// Package session provides session management utilities for the 3x-ui web panel.
// It handles user authentication state, login sessions, and session storage using Gin sessions.
package session

import (
	"encoding/gob"
	"net/http"

	"github.com/mhsanaei/3x-ui/v2/database/model"
	"github.com/mhsanaei/3x-ui/v2/logger"

	"github.com/gin-contrib/sessions"
	"github.com/gin-gonic/gin"
)

const (
	loginUserKey = "LOGIN_USER"
)

func init() {
	gob.Register(model.User{})
}

// SetLoginUser stores the authenticated user in the session and persists it.
// gin-contrib/sessions does not auto-save; callers that forget Save() leave
// the cookie out of sync with server state — this helper avoids that pitfall.
func SetLoginUser(c *gin.Context, user *model.User) error {
	if user == nil {
		return nil
	}
	s := sessions.Default(c)
	s.Set(loginUserKey, *user)
	return s.Save()
}

// GetLoginUser retrieves the authenticated user from the session.
// Returns nil if no user is logged in or if the session data is invalid.
func GetLoginUser(c *gin.Context) *model.User {
	s := sessions.Default(c)
	obj := s.Get(loginUserKey)
	if obj == nil {
		return nil
	}
	user, ok := obj.(model.User)
	if !ok {
		// Stale or incompatible session payload — wipe and persist immediately
		// so subsequent requests don't keep hitting the same broken cookie.
		s.Delete(loginUserKey)
		if err := s.Save(); err != nil {
			logger.Warning("session: failed to drop stale user payload:", err)
		}
		return nil
	}
	return &user
}

// IsLogin checks if a user is currently authenticated in the session.
func IsLogin(c *gin.Context) bool {
	return GetLoginUser(c) != nil
}

// ClearSession invalidates the session and tells the browser to drop the cookie.
// The cookie attributes (Path/HttpOnly/SameSite) must mirror those used when
// the cookie was created or browsers will keep it.
func ClearSession(c *gin.Context) error {
	s := sessions.Default(c)
	s.Clear()
	cookiePath := c.GetString("base_path")
	if cookiePath == "" {
		cookiePath = "/"
	}
	s.Options(sessions.Options{
		Path:     cookiePath,
		MaxAge:   -1,
		HttpOnly: true,
		SameSite: http.SameSiteLaxMode,
	})
	return s.Save()
}
docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// Package session provides session management utilities for the 3x-ui web panel.`
			`// It handles user authentication state, login sessions, and session storage using Gin sessions.`
3x-ui 2023-02-09 19:18:06 +00:00			`package session`

			`import (`
			`"encoding/gob"`
cookie: MaxAge and minor changes 2025-09-12 11:04:36 +00:00			`"net/http"`
Some fixes and improvements (#1997) * [refactor] api controller * [fix] access log path better to not hardcode the access log path, maybe some ppl dont want to use the default ./access.log * [fix] set select options from logs paths in xray settings * [update] .gitignore * [lint] all .go files * [update] use status code for jsonMsg and 401 to unauthorize * [update] handle response status code via axios * [fix] set correct value if log paths is set to 'none' we also use the default value for the paths if its set to none * [fix] iplimit - only warning access log if f2b is installed 2024-03-10 21:31:24 +00:00
go package correction v2 2025-09-19 08:05:43 +00:00			`"github.com/mhsanaei/3x-ui/v2/database/model"`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`"github.com/mhsanaei/3x-ui/v2/logger"`
[feature] add login session timeout Co-Authored-By: Alireza Ahmadi <alireza7@gmail.com> 2023-04-25 11:30:21 +00:00
gin-contrib v1.0.0 2024-04-20 21:26:55 +00:00			`"github.com/gin-contrib/sessions"`
3x-ui 2023-02-09 19:18:06 +00:00			`"github.com/gin-gonic/gin"`
			`)`

fix session 2024-08-06 11:44:48 +00:00			`const (`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`loginUserKey = "LOGIN_USER"`
fix session 2024-08-06 11:44:48 +00:00			`)`
3x-ui 2023-02-09 19:18:06 +00:00
			`func init() {`
			`gob.Register(model.User{})`
			`}`

ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`// SetLoginUser stores the authenticated user in the session and persists it.`
			`// gin-contrib/sessions does not auto-save; callers that forget Save() leave`
			`// the cookie out of sync with server state — this helper avoids that pitfall.`
			`func SetLoginUser(c gin.Context, user model.User) error {`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`if user == nil {`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`return nil`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`}`
3x-ui 2023-02-09 19:18:06 +00:00			`s := sessions.Default(c)`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`s.Set(loginUserKey, *user)`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`return s.Save()`
3x-ui 2023-02-09 19:18:06 +00:00			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// GetLoginUser retrieves the authenticated user from the session.`
			`// Returns nil if no user is logged in or if the session data is invalid.`
3x-ui 2023-02-09 19:18:06 +00:00			`func GetLoginUser(c gin.Context) model.User {`
			`s := sessions.Default(c)`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`obj := s.Get(loginUserKey)`
fix session 2024-08-06 11:44:48 +00:00			`if obj == nil {`
			`return nil`
3x-ui 2023-02-09 19:18:06 +00:00			`}`
fix session 2024-08-06 11:44:48 +00:00			`user, ok := obj.(model.User)`
			`if !ok {`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`// Stale or incompatible session payload — wipe and persist immediately`
			`// so subsequent requests don't keep hitting the same broken cookie.`
fix session twice set-cookie bug fixed 2024-12-16 13:24:59 +00:00			`s.Delete(loginUserKey)`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`if err := s.Save(); err != nil {`
			`logger.Warning("session: failed to drop stale user payload:", err)`
			`}`
fix session 2024-08-06 11:44:48 +00:00			`return nil`
			`}`
			`return &user`
3x-ui 2023-02-09 19:18:06 +00:00			`}`

docs: add comments for all functions 2025-09-20 07:35:50 +00:00			`// IsLogin checks if a user is currently authenticated in the session.`
3x-ui 2023-02-09 19:18:06 +00:00			`func IsLogin(c *gin.Context) bool {`
			`return GetLoginUser(c) != nil`
			`}`

ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`// ClearSession invalidates the session and tells the browser to drop the cookie.`
			`// The cookie attributes (Path/HttpOnly/SameSite) must mirror those used when`
			`// the cookie was created or browsers will keep it.`
			`func ClearSession(c *gin.Context) error {`
3x-ui 2023-02-09 19:18:06 +00:00			`s := sessions.Default(c)`
			`s.Clear()`
v2.9.0 2026-04-20 18:03:40 +00:00			`cookiePath := c.GetString("base_path")`
			`if cookiePath == "" {`
			`cookiePath = "/"`
			`}`
3x-ui 2023-02-09 19:18:06 +00:00			`s.Options(sessions.Options{`
v2.9.0 2026-04-20 18:03:40 +00:00			`Path: cookiePath,`
fix session 2024-08-06 11:44:48 +00:00			`MaxAge: -1,`
			`HttpOnly: true,`
cookie: MaxAge and minor changes 2025-09-12 11:04:36 +00:00			`SameSite: http.SameSiteLaxMode,`
3x-ui 2023-02-09 19:18:06 +00:00			`})`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds - hub: dedup, throttle, panic-restart, deadlock fix, race tests - client: backoff cap + slow-retry instead of giving up - broadcast: delta-only payload, count-based invalidate fallback - filter: fix empty online list (Inbound has no .id, use dbInbound.toInbound) - perf: O(N²)→O(N) traffic merge, bulk delete, /setEnable endpoint - traffic: monotonic all_time + UI clamp + propagate in delta handler - session: persist on update/logout (fixes logout-after-password-change) - ui: protocol tags flex, traffic bar normalize 2026-04-28 03:22:39 +00:00			`return s.Save()`
3x-ui 2023-02-09 19:18:06 +00:00			`}`