Calling session.Start twice in same view will generate new session id twice

[zhangi]

If session.Start(nil, w, r) is called twice in the same handler func, the second one will generate a new session id because of the cookie store returns false if the cookie does not exist. It breaks the cookie signature validation because the first session id is overwritten by second one.
All other store backends like redis store or in-memory store do not have such problem

[LyricTian]

According to what you said, it is not very good to locate the problem, can you post the code you encountered?

[zhangi]

import (
	"context"
	"fmt"
	"net/http"

	"github.com/go-session/cookie"
	"github.com/go-session/session"
)

var (
	hashKey = []byte("FF51A553-72FC-478B-9AEF-93D6F506DE91")
)

func main() {
	session.InitManager(
		session.SetStore(
			cookie.NewCookieStore(
				cookie.SetCookieName("demo_cookie_store_id"),
				cookie.SetHashKey(hashKey),
			),
		),
	)

	http.HandleFunc("/foo", func(w http.ResponseWriter, r *http.Request) {
		sessionID, _ := inner(w, r)
		fmt.Fprintf(w, "%s\n", sessionID)
		sessionID, _ = inner(w, r)
		fmt.Fprintf(w, "%s\n", sessionID)
	})

	http.ListenAndServe(":8080", nil)
}

func inner(w http.ResponseWriter, r *http.Request) (string,error) {
	store, err := session.Start(context.Background(), w, r)
	if err != nil {
		return "", err
	}
	return store.SessionID(), nil
}

build and run, then visit http://localhost:8080/foo and it will show that the two calls of inner() return different sessionID, which breaks the expectation that sessionID should be same in the lifetime of a single request.