fix: make sure to set cookie on manual session saves (#203)

fastify · Jul 4, 2023 · d255ee7 · d255ee7
1 parent 607d7bb
commit d255ee7
Show file tree

Hide file tree

Showing 4 changed files with 31 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -151,6 +151,14 @@ Gets a value from the session
 
 Sets a value in the session
 
+#### Session#isModified()
+
+Whether the session has been modified from what was loaded from the store (or created)
+
+#### Session#isSaved()
+
+Whether the session (and any of its potential modifications) has persisted to the store
+
 ### fastify.decryptSession(sessionId, request, cookieOptions, next)
 This plugin also decorates the fastify instance with `decryptSession` in case you want to decrypt the session manually.
 

diff --git a/lib/fastifySession.js b/lib/fastifySession.js
@@ -167,11 +167,22 @@ function fastifySession (fastify, options, next) {
       const cookieSessionId = getCookieSessionId(request)
       const saveSession = shouldSaveSession(request, cookieSessionId, saveUninitializedSession, rollingSessions)
       const isInsecureConnection = cookieOpts.secure === true && isConnectionSecure(request) === false
+      const sessionIdWithPrefix = hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId
       if (!saveSession || isInsecureConnection) {
         // if a session cookie is set, but has a different ID, clear it
         if (cookieSessionId && cookieSessionId !== session.encryptedSessionId) {
           reply.clearCookie(cookieName, { domain: cookieOpts.domain })
         }
+
+        if (session.isSaved()) {
+          reply.setCookie(
+            cookieName,
+            sessionIdWithPrefix,
+            // we need to remove extra properties to align the same with `express-session`
+            session.cookie.toJSON()
+          )
+        }
+
         done()
         return
       }
@@ -183,7 +194,7 @@ function fastifySession (fastify, options, next) {
         }
         reply.setCookie(
           cookieName,
-          hasCookiePrefix ? `${cookiePrefix}${session.encryptedSessionId}` : session.encryptedSessionId,
+          sessionIdWithPrefix,
           // we need to remove extra properties to align the same with `express-session`
           session.cookie.toJSON()
         )

diff --git a/lib/session.js b/lib/session.js
@@ -16,6 +16,7 @@ const hash = Symbol('hash')
 const sessionIdKey = Symbol('sessionId')
 const sessionStoreKey = Symbol('sessionStore')
 const encryptedSessionIdKey = Symbol('encryptedSessionId')
+const savedKey = Symbol('saved')
 
 module.exports = class Session {
   constructor (
@@ -38,6 +39,7 @@ module.exports = class Session {
       prevSession[sessionIdKey] === sessionId &&
       prevSession[encryptedSessionIdKey]
     ) || cookieSigner.sign(this.sessionId)
+    this[savedKey] = false
     this.cookie = new Cookie(prevSession?.cookie || cookieOpts, request)
 
     if (prevSession) {
@@ -173,6 +175,7 @@ module.exports = class Session {
         if (error) {
           callback(error)
         } else {
+          this[savedKey] = true
           this[persistedHash] = this[hash]()
           callback()
         }
@@ -183,6 +186,7 @@ module.exports = class Session {
           if (error) {
             reject(error)
           } else {
+            this[savedKey] = true
             this[persistedHash] = this[hash]()
             resolve()
           }
@@ -219,4 +223,8 @@ module.exports = class Session {
   isModified () {
     return this[persistedHash] !== this[hash]()
   }
+
+  isSaved () {
+    return this[savedKey]
+  }
 }
diff --git a/test/session.test.js b/test/session.test.js
@@ -906,7 +906,7 @@ test('when rolling is false, only save session when it changes', async t => {
 })
 
 test('when rolling is false, only save session when it changes, but not if manually saved', async t => {
-  t.plan(4)
+  t.plan(5)
   let setCount = 0
   const store = new Map()
 
@@ -945,11 +945,12 @@ test('when rolling is false, only save session when it changes, but not if manua
     await reply.send(200)
   })
 
-  const { statusCode } = await fastify.inject('/')
+  const { statusCode, headers } = await fastify.inject('/')
 
   t.equal(statusCode, 200)
   // we manually saved the session, so it should be called once (not once for manual save and once in `onSend`)
   t.equal(setCount, 1)
+  t.equal(typeof headers['set-cookie'], 'string')
 })
 
 test('when rolling is true, keep saving the session', async t => {