From 7f763e6bfcbee7851f55312656b321e9094e1e5f Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:18:58 +0530
Subject: [PATCH 1/6] feat(ctx): add SessionOnly property on Cookie struct

---
 ctx.go | 28 +++++++++++++++++-----------
 1 file changed, 17 insertions(+), 11 deletions(-)

diff --git a/ctx.go b/ctx.go
index c14b3a2773..9ec314c2b9 100644
--- a/ctx.go
+++ b/ctx.go
@@ -75,15 +75,16 @@ type Range struct {
 
 // Cookie data for c.Cookie
 type Cookie struct {
-	Name     string    `json:"name"`
-	Value    string    `json:"value"`
-	Path     string    `json:"path"`
-	Domain   string    `json:"domain"`
-	MaxAge   int       `json:"max_age"`
-	Expires  time.Time `json:"expires"`
-	Secure   bool      `json:"secure"`
-	HTTPOnly bool      `json:"http_only"`
-	SameSite string    `json:"same_site"`
+	Name        string    `json:"name"`
+	Value       string    `json:"value"`
+	Path        string    `json:"path"`
+	Domain      string    `json:"domain"`
+	MaxAge      int       `json:"max_age"`
+	Expires     time.Time `json:"expires"`
+	Secure      bool      `json:"secure"`
+	HTTPOnly    bool      `json:"http_only"`
+	SameSite    string    `json:"same_site"`
+	SessionOnly bool      `json:"session_only"`
 }
 
 // Views is the interface that wraps the Render function.
@@ -410,8 +411,13 @@ func (c *Ctx) Cookie(cookie *Cookie) {
 	fcookie.SetValue(cookie.Value)
 	fcookie.SetPath(cookie.Path)
 	fcookie.SetDomain(cookie.Domain)
-	fcookie.SetMaxAge(cookie.MaxAge)
-	fcookie.SetExpire(cookie.Expires)
+	// only set max age and expiry when SessionOnly is false
+	// i.e. cookie supposed to last beyond browser session
+	// refer: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie
+	if !cookie.SessionOnly {
+		fcookie.SetMaxAge(cookie.MaxAge)
+		fcookie.SetExpire(cookie.Expires)
+	}
 	fcookie.SetSecure(cookie.Secure)
 	fcookie.SetHTTPOnly(cookie.HTTPOnly)
 

From 501dbc3d033427f149faff83e482c30a202bbc89 Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:19:53 +0530
Subject: [PATCH 2/6] feat(middleware/config): add CookieSessionOnly property
 on middleware Config struct

---
 middleware/csrf/config.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/middleware/csrf/config.go b/middleware/csrf/config.go
index afd586b56d..1eef990baf 100644
--- a/middleware/csrf/config.go
+++ b/middleware/csrf/config.go
@@ -53,6 +53,10 @@ type Config struct {
 	// Optional. Default value "Lax".
 	CookieSameSite string
 
+	// Decides whether cookie should last for only the browser sesison.
+	// Ignores Expiration and CookieExpires if set to true
+	CookieSessionOnly bool
+
 	// Expiration is the duration before csrf token will expire
 	//
 	// Optional. Default: 1 * time.Hour

From 95ce7e2755026c30b762cd6fc1d0129afd47a9d7 Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:20:54 +0530
Subject: [PATCH 3/6] feat(csrf): link config CookieSessionOnly with
 fiber.Cookie in create middleware function

---
 middleware/csrf/csrf.go | 32 +++++++++++++++++---------------
 1 file changed, 17 insertions(+), 15 deletions(-)

diff --git a/middleware/csrf/csrf.go b/middleware/csrf/csrf.go
index 5427c3f55f..1de2aec5d6 100644
--- a/middleware/csrf/csrf.go
+++ b/middleware/csrf/csrf.go
@@ -48,13 +48,14 @@ func New(config ...Config) fiber.Handler {
 			if manager.getRaw(token) == nil {
 				// Expire cookie
 				c.Cookie(&fiber.Cookie{
-					Name:     cfg.CookieName,
-					Domain:   cfg.CookieDomain,
-					Path:     cfg.CookiePath,
-					Expires:  time.Now().Add(-1 * time.Minute),
-					Secure:   cfg.CookieSecure,
-					HTTPOnly: cfg.CookieHTTPOnly,
-					SameSite: cfg.CookieSameSite,
+					Name:        cfg.CookieName,
+					Domain:      cfg.CookieDomain,
+					Path:        cfg.CookiePath,
+					Expires:     time.Now().Add(-1 * time.Minute),
+					Secure:      cfg.CookieSecure,
+					HTTPOnly:    cfg.CookieHTTPOnly,
+					SameSite:    cfg.CookieSameSite,
+					SessionOnly: cfg.CookieSessionOnly,
 				})
 				return cfg.ErrorHandler(c, errTokenNotFound)
 			}
@@ -71,14 +72,15 @@ func New(config ...Config) fiber.Handler {
 
 		// Create cookie to pass token to client
 		cookie := &fiber.Cookie{
-			Name:     cfg.CookieName,
-			Value:    token,
-			Domain:   cfg.CookieDomain,
-			Path:     cfg.CookiePath,
-			Expires:  time.Now().Add(cfg.Expiration),
-			Secure:   cfg.CookieSecure,
-			HTTPOnly: cfg.CookieHTTPOnly,
-			SameSite: cfg.CookieSameSite,
+			Name:        cfg.CookieName,
+			Value:       token,
+			Domain:      cfg.CookieDomain,
+			Path:        cfg.CookiePath,
+			Expires:     time.Now().Add(cfg.Expiration),
+			Secure:      cfg.CookieSecure,
+			HTTPOnly:    cfg.CookieHTTPOnly,
+			SameSite:    cfg.CookieSameSite,
+			SessionOnly: cfg.CookieSessionOnly,
 		}
 		// Set cookie to response
 		c.Cookie(cookie)

From c9cba7f69cf35582cea09c53728b57fdd121be86 Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:21:46 +0530
Subject: [PATCH 4/6] fix(ctx_test): add tests for SessionOnly cookie in
 test_ctx_cookie

---
 ctx_test.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/ctx_test.go b/ctx_test.go
index 3a790bf315..6a2893727c 100644
--- a/ctx_test.go
+++ b/ctx_test.go
@@ -659,6 +659,14 @@ func Test_Ctx_Cookie(t *testing.T) {
 	cookie.SameSite = CookieSameSiteNoneMode
 	c.Cookie(cookie)
 	utils.AssertEqual(t, expect, string(c.Response().Header.Peek(HeaderSetCookie)))
+
+	expect = "username=john; path=/; secure; SameSite=None"
+	// should remove expires and max-age headers
+	cookie.SessionOnly = true
+	cookie.Expires = expire
+	cookie.MaxAge = 10000
+	c.Cookie(cookie)
+	utils.AssertEqual(t, expect, string(c.Response().Header.Peek(HeaderSetCookie)))
 }
 
 // go test -v -run=^$ -bench=Benchmark_Ctx_Cookie -benchmem -count=4

From 7bef0daa277897da99f02774fa4ba9c80832161a Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:36:07 +0530
Subject: [PATCH 5/6] fix(readme): update readme in csrf middleware for
 CookieSessionOnly property

---
 middleware/csrf/README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/middleware/csrf/README.md b/middleware/csrf/README.md
index eb516a85ba..8ab8171cc8 100644
--- a/middleware/csrf/README.md
+++ b/middleware/csrf/README.md
@@ -109,6 +109,10 @@ type Config struct {
 	// Optional. Default value "Lax".
 	CookieSameSite string
 
+	// Decides whether cookie should last for only the browser sesison.
+	// Ignores Expiration if set to true
+	CookieSessionOnly bool
+
 	// Expiration is the duration before csrf token will expire
 	//
 	// Optional. Default: 1 * time.Hour

From 6fda6d834d75c5b91715b6bfa7845605ad77fcfe Mon Sep 17 00:00:00 2001
From: Abhishek <abhi.9811206369@gmail.com>
Date: Sun, 6 Feb 2022 16:37:08 +0530
Subject: [PATCH 6/6] remove deprecated property from CookieSessionOnly
 explaination comments

---
 middleware/csrf/config.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/middleware/csrf/config.go b/middleware/csrf/config.go
index 1eef990baf..4d9cd7b8a1 100644
--- a/middleware/csrf/config.go
+++ b/middleware/csrf/config.go
@@ -54,7 +54,7 @@ type Config struct {
 	CookieSameSite string
 
 	// Decides whether cookie should last for only the browser sesison.
-	// Ignores Expiration and CookieExpires if set to true
+	// Ignores Expiration if set to true
 	CookieSessionOnly bool
 
 	// Expiration is the duration before csrf token will expire