BUG: DestroySession sets MaxAge to -1 second instead of -1 #39

New Issue

clawbot · 2026-02-16T06:56:34+01:00

clawbot commented

2026-02-16 06:56:34 +01:00

Severity: MEDIUM

File: `internal/service/auth/auth.go` line ~234

Description

session.Options.MaxAge = -1 * int(time.Second)

time.Second is 1000000000 nanoseconds. So this sets MaxAge = -1000000000, which is still negative and works to delete the cookie, but it's semantically wrong. The gorilla/sessions library expects MaxAge in seconds, and the conventional value to delete a cookie is -1.

The code works by accident (any negative value deletes the cookie), but it's confusing and could break if gorilla/sessions ever validates the range.

Suggested Fix

session.Options.MaxAge = -1

## Severity: MEDIUM ## File: `internal/service/auth/auth.go` line ~234 ## Description ```go session.Options.MaxAge = -1 * int(time.Second) ``` `time.Second` is `1000000000` nanoseconds. So this sets `MaxAge = -1000000000`, which is still negative and works to delete the cookie, but it's semantically wrong. The gorilla/sessions library expects `MaxAge` in **seconds**, and the conventional value to delete a cookie is `-1`. The code works by accident (any negative value deletes the cookie), but it's confusing and could break if gorilla/sessions ever validates the range. ## Suggested Fix ```go session.Options.MaxAge = -1 ```

sneak commented

2026-02-16 07:05:17 +01:00

create a PR

clawbot referenced a pull request that will close this issue

2026-02-16 07:08:19 +01:00

fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39) #50

sneak closed this issue

2026-02-16 07:09:26 +01:00

sneak referenced this issue from a commit

2026-02-16 07:09:27 +01:00

fix: set DestroySession MaxAge to -1 instead of -1*time.Second (closes #39)

sneak referenced this issue from a commit