From 97066459ed646801bf62d0e23da6ce15799181c0 Mon Sep 17 00:00:00 2001
From: Ming Deng <mingflycash@gmail.com>
Date: Sun, 31 Mar 2024 21:25:28 +0800
Subject: [PATCH] fix 5620: ensure cookie always use the config (#5621)

---
 server/web/session/session.go | 23 +++++++++--------------
 1 file changed, 9 insertions(+), 14 deletions(-)

diff --git a/server/web/session/session.go b/server/web/session/session.go
index ef4ca082..57b53345 100644
--- a/server/web/session/session.go
+++ b/server/web/session/session.go
@@ -287,7 +287,6 @@ func (manager *Manager) SessionRegenerateID(w http.ResponseWriter, r *http.Reque
 	}
 
 	var session Store
-
 	cookie, err := r.Cookie(manager.config.CookieName)
 	if err != nil || cookie.Value == "" {
 		// delete old cookie
@@ -296,43 +295,39 @@ func (manager *Manager) SessionRegenerateID(w http.ResponseWriter, r *http.Reque
 			return nil, err
 		}
 		cookie = &http.Cookie{
-			Name:     manager.config.CookieName,
-			Value:    url.QueryEscape(sid),
-			Path:     "/",
-			HttpOnly: !manager.config.DisableHTTPOnly,
-			Secure:   manager.isSecure(r),
-			Domain:   manager.config.Domain,
-			SameSite: manager.config.CookieSameSite,
+			Name:  manager.config.CookieName,
+			Value: url.QueryEscape(sid),
 		}
 	} else {
 		oldsid, err := url.QueryUnescape(cookie.Value)
 		if err != nil {
 			return nil, err
 		}
-
 		session, err = manager.provider.SessionRegenerate(context.Background(), oldsid, sid)
 		if err != nil {
 			return nil, err
 		}
-
 		cookie.Value = url.QueryEscape(sid)
-		cookie.HttpOnly = true
-		cookie.Path = "/"
 	}
 	if manager.config.CookieLifeTime > 0 {
 		cookie.MaxAge = manager.config.CookieLifeTime
 		cookie.Expires = time.Now().Add(time.Duration(manager.config.CookieLifeTime) * time.Second)
 	}
+
+	cookie.HttpOnly = !manager.config.DisableHTTPOnly
+	cookie.Path = "/"
+	cookie.Secure = manager.isSecure(r)
+	cookie.Domain = manager.config.Domain
+	cookie.SameSite = manager.config.CookieSameSite
+
 	if manager.config.EnableSetCookie {
 		http.SetCookie(w, cookie)
 	}
 	r.AddCookie(cookie)
-
 	if manager.config.EnableSidInHTTPHeader {
 		r.Header.Set(manager.config.SessionNameInHTTPHeader, sid)
 		w.Header().Set(manager.config.SessionNameInHTTPHeader, sid)
 	}
-
 	return session, nil
 }