From 216d413c15b4573c6cfb3747360af63370e51210 Mon Sep 17 00:00:00 2001
From: Aaron Lindsay <aaron@aclindsay.com>
Date: Sat, 18 Nov 2017 20:45:35 -0500
Subject: [PATCH 1/2] Ensure we don't have duplicate session secrets

---
 internal/handlers/sessions.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/internal/handlers/sessions.go b/internal/handlers/sessions.go
index 55e1f91..e6f5dab 100644
--- a/internal/handlers/sessions.go
+++ b/internal/handlers/sessions.go
@@ -81,6 +81,14 @@ func NewSession(tx *Tx, r *http.Request, userid int64) (*NewSessionWriter, error
 		return nil, err
 	}
 
+	existing, err := tx.SelectInt("SELECT count(*) from sessions where SessionSecret=?", session_secret)
+	if err != nil {
+		return nil, err
+	}
+	if existing > 0 {
+		return nil, fmt.Errorf("%d session(s) exist with the generated session_secret")
+	}
+
 	cookie := http.Cookie{
 		Name:     "moneygo-session",
 		Value:    session_secret,

From ac5826daca697ccd6d49304f29ed7d6f2d84fe96 Mon Sep 17 00:00:00 2001
From: Aaron Lindsay <aaron@aclindsay.com>
Date: Sat, 18 Nov 2017 21:19:30 -0500
Subject: [PATCH 2/2] Add expiration and creation times to sessions

Check expiration time when fetching sessions from cookies
---
 internal/handlers/sessions.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/internal/handlers/sessions.go b/internal/handlers/sessions.go
index e6f5dab..55c9317 100644
--- a/internal/handlers/sessions.go
+++ b/internal/handlers/sessions.go
@@ -16,6 +16,8 @@ type Session struct {
 	SessionId     int64
 	SessionSecret string `json:"-"`
 	UserId        int64
+	Created       time.Time
+	Expires       time.Time
 }
 
 func (s *Session) Write(w http.ResponseWriter) error {
@@ -41,6 +43,11 @@ func GetSession(tx *Tx, r *http.Request) (*Session, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	if s.Expires.Before(time.Now()) {
+		tx.Delete(&s)
+		return nil, fmt.Errorf("Session has expired")
+	}
 	return &s, nil
 }
 
@@ -86,7 +93,7 @@ func NewSession(tx *Tx, r *http.Request, userid int64) (*NewSessionWriter, error
 		return nil, err
 	}
 	if existing > 0 {
-		return nil, fmt.Errorf("%d session(s) exist with the generated session_secret")
+		return nil, fmt.Errorf("%d session(s) exist with the generated session_secret", existing)
 	}
 
 	cookie := http.Cookie{
@@ -101,6 +108,8 @@ func NewSession(tx *Tx, r *http.Request, userid int64) (*NewSessionWriter, error
 
 	s.SessionSecret = session_secret
 	s.UserId = userid
+	s.Created = time.Now()
+	s.Expires = cookie.Expires
 
 	err = tx.Insert(&s)
 	if err != nil {