Make sure the cookie exists before we clear the session in redis

lsst-dm · May 30, 2019 · 6d7f0ab · 6d7f0ab
1 parent 66bbf14
commit 6d7f0ab
Showing 1 changed file with 14 additions and 7 deletions.
diff --git a/pkg/sessions/redis/redis_store.go b/pkg/sessions/redis/redis_store.go
@@ -148,13 +148,6 @@ func (store *SessionStore) loadSessionFromString(value string) (*sessions.Sessio
 // Clear clears any saved session information for a given ticket cookie
 // from redis, and then clears the session
 func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) error {
-	requestCookie, _ := req.Cookie(store.CookieOptions.CookieName)
-
-	val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire)
-	if !ok {
-		return fmt.Errorf("Cookie Signature not valid")
-	}
-
 	// We go ahead and clear the cookie first, always.
 	clearCookie := store.makeCookie(
 		req,
@@ -164,6 +157,20 @@ func (store *SessionStore) Clear(rw http.ResponseWriter, req *http.Request) erro
 	)
 	http.SetCookie(rw, clearCookie)
 
+	// If there was an existing cookie we should clear the session in redis
+	requestCookie, err := req.Cookie(store.CookieOptions.CookieName)
+	if err != nil && err == http.ErrNoCookie {
+		// No existing cookie so can't clear redis
+		return nil
+	} else if err != nil {
+		return fmt.Errorf("error retrieving cookie: %v", err)
+	}
+
+	val, _, ok := cookie.Validate(requestCookie, store.CookieOptions.CookieSecret, store.CookieOptions.CookieExpire)
+	if !ok {
+		return fmt.Errorf("Cookie Signature not valid")
+	}
+
 	// We only return an error if we had an issue with redis
 	// If there's an issue decoding the ticket, ignore it
 	ticket, _ := decodeTicket(store.CookieOptions.CookieName, val)