Centralize session options and adjust cookies

Configure session cookie options centrally in initRouter and remove per-login MaxAge handling. Deleted SetMaxAge helper and its use in the login flow; session.Options are now applied once using basePath with HttpOnly and SameSite defaults, and MaxAge is set only when the stored setting is available and >0. Also make CookieManager.setCookie treat exdays as optional (only add expires when provided) and stop using a hardcoded 150-day expiry for the lang cookie in the JS language manager. Co-Authored-By: Alireza Ahmadi <alireza7@gmail.com>
2026-04-21 23:15:51 +00:00 · 2026-04-20 14:00:18 +02:00 · 2026-04-20 14:00:18 +02:00 · c188056f64
commit c188056f64
parent 0a424a9f16
4 changed files with 19 additions and 33 deletions
--- a/web/assets/js/util/index.js
+++ b/web/assets/js/util/index.js
@ -651,10 +651,13 @@ class CookieManager {
    }

    static setCookie(cname, cvalue, exdays) {
-        const d = new Date();
-        d.setTime(d.getTime() + exdays * 24 * 60 * 60 * 1000);
-        let expires = 'expires=' + d.toUTCString();
-        document.cookie = cname + '=' + encodeURIComponent(cvalue) + ';' + expires + ';path=/';
+        let expires = '';
+        if (exdays) {
+            const d = new Date();
+            d.setTime(d.getTime() + exdays * 24 * 60 * 60 * 1000);
+            expires = 'expires=' + d.toUTCString() + ';';
+        }
+        document.cookie = cname + '=' + encodeURIComponent(cvalue) + ';' + expires + 'path=/';
    }
 }

@ -813,13 +816,13 @@ class LanguageManager {
                });

                if (LanguageManager.isSupportLanguage(lang)) {
-                    CookieManager.setCookie("lang", lang, 150);
+                    CookieManager.setCookie("lang", lang);
                } else {
-                    CookieManager.setCookie("lang", "en-US", 150);
+                    CookieManager.setCookie("lang", "en-US");
                    window.location.reload();
                }
            } else {
-                CookieManager.setCookie("lang", "en-US", 150);
+                CookieManager.setCookie("lang", "en-US");
                window.location.reload();
            }
        }
@ -832,7 +835,7 @@ class LanguageManager {
            language = "en-US";
        }

-        CookieManager.setCookie("lang", language, 150);
+        CookieManager.setCookie("lang", language);
        window.location.reload();
    }

--- a/web/controller/index.go
+++ b/web/controller/index.go
@ -95,12 +95,6 @@ func (a *IndexController) login(c *gin.Context) {
 	logger.Infof("%s logged in successfully, Ip Address: %s\n", safeUser, getRemoteIp(c))
 	a.tgbot.UserLoginNotify(safeUser, ``, getRemoteIp(c), timeStr, 1)

-	sessionMaxAge, err := a.settingService.GetSessionMaxAge()
-	if err != nil {
-		logger.Warning("Unable to get session's max age from DB")
-	}
-
-	session.SetMaxAge(c, sessionMaxAge*60)
 	session.SetLoginUser(c, user)
 	if err := sessions.Default(c).Save(); err != nil {
 		logger.Warning("Unable to save session: ", err)
--- a/web/session/session.go
+++ b/web/session/session.go
@ -31,18 +31,6 @@ func SetLoginUser(c *gin.Context, user *model.User) {
 	s.Set(loginUserKey, *user)
 }

-// SetMaxAge configures the session cookie maximum age in seconds.
-// This controls how long the session remains valid before requiring re-authentication.
-func SetMaxAge(c *gin.Context, maxAge int) {
-	s := sessions.Default(c)
-	s.Options(sessions.Options{
-		Path:     defaultPath,
-		MaxAge:   maxAge,
-		HttpOnly: true,
-		SameSite: http.SameSiteLaxMode,
-	})
-}
-
 // GetLoginUser retrieves the authenticated user from the session.
 // Returns nil if no user is logged in or if the session data is invalid.
 func GetLoginUser(c *gin.Context) *model.User {
--- a/web/web.go
+++ b/web/web.go
@ -207,14 +207,15 @@ func (s *Server) initRouter() (*gin.Engine, error) {

 	store := cookie.NewStore(secret)
 	// Configure default session cookie options, including expiration (MaxAge)
-	if sessionMaxAge, err := s.settingService.GetSessionMaxAge(); err == nil {
-		store.Options(sessions.Options{
-			Path:     "/",
-			MaxAge:   sessionMaxAge * 60, // minutes -> seconds
-			HttpOnly: true,
-			SameSite: http.SameSiteLaxMode,
-		})
+	sessionOptions := sessions.Options{
+		Path:     basePath,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
 	}
+	if sessionMaxAge, err := s.settingService.GetSessionMaxAge(); err == nil && sessionMaxAge > 0 {
+		sessionOptions.MaxAge = sessionMaxAge * 60 // minutes -> seconds
+	}
+	store.Options(sessionOptions)
 	engine.Use(sessions.Sessions("3x-ui", store))
 	engine.Use(func(c *gin.Context) {
 		c.Set("base_path", basePath)