Check the deadline independently from securecookie

ca680333 · ale · 79c42231 · ca680333
Commit ca680333 authored 5 years ago by ale
--- a/server/login/login.go
+++ b/server/login/login.go
@@ -162,6 +162,11 @@ func (l *Login) fetchOrInitSession(req *http.Request) *loginSession {
 	if err != nil {
 		return new(loginSession)
 	}
+	// Check our own Deadline anyway (for authenticated sessions), do not
+	// necessarily trust the securecookie.
+	if !session.Deadline.IsZero() && time.Now().UTC().After(session.Deadline) {
+		return new(loginSession)
+	}
 	return session
 }