web/session/session.go

package session

import (
	"encoding/gob"
	"net/http"
	"time"

	"github.com/mhsanaei/3x-ui/v3/database"
	"github.com/mhsanaei/3x-ui/v3/database/model"
	"github.com/mhsanaei/3x-ui/v3/logger"

	"github.com/gin-contrib/sessions"
	"github.com/gin-gonic/gin"
)

const (
	loginUserKey      = "LOGIN_USER"
	loginEpochKey     = "LOGIN_EPOCH"
	apiAuthUserKey    = "api_auth_user"
	sessionCookieName = "3x-ui"
)

func init() {
	gob.Register(model.User{})
}

func SetLoginUser(c *gin.Context, user *model.User) error {
	if user == nil {
		return nil
	}
	s := sessions.Default(c)
	s.Set(loginUserKey, user.Id)
	s.Set(loginEpochKey, user.LoginEpoch)
	return s.Save()
}

func SetAPIAuthUser(c *gin.Context, user *model.User) {
	if user == nil {
		return
	}
	c.Set(apiAuthUserKey, user)
}

func GetLoginUser(c *gin.Context) *model.User {
	if v, ok := c.Get(apiAuthUserKey); ok {
		if u, ok2 := v.(*model.User); ok2 {
			return u
		}
	}
	s := sessions.Default(c)
	obj := s.Get(loginUserKey)
	if obj == nil {
		return nil
	}
	userID, ok := sessionUserID(obj)
	if !ok {
		s.Delete(loginUserKey)
		s.Delete(loginEpochKey)
		if err := s.Save(); err != nil {
			logger.Warning("session: failed to drop stale user payload:", err)
		}
		return nil
	}
	if legacyUserID, ok := legacySessionUserID(obj); ok {
		s.Set(loginUserKey, legacyUserID)
		if err := s.Save(); err != nil {
			logger.Warning("session: failed to migrate legacy user payload:", err)
		}
	}
	user, err := getUserByID(userID)
	if err != nil {
		logger.Warning("session: failed to load user:", err)
		s.Delete(loginUserKey)
		s.Delete(loginEpochKey)
		if saveErr := s.Save(); saveErr != nil {
			logger.Warning("session: failed to drop missing user:", saveErr)
		}
		return nil
	}
	if !sessionEpochMatches(s.Get(loginEpochKey), user.LoginEpoch) {
		s.Delete(loginUserKey)
		s.Delete(loginEpochKey)
		if saveErr := s.Save(); saveErr != nil {
			logger.Warning("session: failed to drop stale epoch:", saveErr)
		}
		return nil
	}
	return user
}

func sessionEpochMatches(cookieVal any, userEpoch int64) bool {
	var got int64
	switch v := cookieVal.(type) {
	case nil:
	case int64:
		got = v
	case int:
		got = int64(v)
	case int32:
		got = int64(v)
	case float64:
		got = int64(v)
	default:
		return false
	}
	return got == userEpoch
}

func IsLogin(c *gin.Context) bool {
	return GetLoginUser(c) != nil
}

func sessionUserID(obj any) (int, bool) {
	switch v := obj.(type) {
	case int:
		return v, v > 0
	case int64:
		return int(v), v > 0
	case int32:
		return int(v), v > 0
	case float64:
		id := int(v)
		return id, v == float64(id) && id > 0
	case model.User:
		return v.Id, v.Id > 0
	case *model.User:
		if v == nil {
			return 0, false
		}
		return v.Id, v.Id > 0
	default:
		return 0, false
	}
}

func legacySessionUserID(obj any) (int, bool) {
	switch v := obj.(type) {
	case model.User:
		return v.Id, v.Id > 0
	case *model.User:
		if v == nil {
			return 0, false
		}
		return v.Id, v.Id > 0
	default:
		return 0, false
	}
}

func getUserByID(id int) (*model.User, error) {
	db := database.GetDB()
	if db == nil {
		return nil, http.ErrServerClosed
	}
	user := &model.User{}
	if err := db.Model(model.User{}).Where("id = ?", id).First(user).Error; err != nil {
		return nil, err
	}
	return user, nil
}

func ClearSession(c *gin.Context) error {
	s := sessions.Default(c)
	s.Clear()
	cookiePath := c.GetString("base_path")
	if cookiePath == "" {
		cookiePath = "/"
	}
	secure := c.Request.TLS != nil
	s.Options(sessions.Options{
		Path:     cookiePath,
		MaxAge:   -1,
		HttpOnly: true,
		Secure:   secure,
		SameSite: http.SameSiteLaxMode,
	})
	if err := s.Save(); err != nil {
		return err
	}
	if cookiePath != "/" {
		http.SetCookie(c.Writer, &http.Cookie{
			Name:     sessionCookieName,
			Value:    "",
			Path:     "/",
			MaxAge:   -1,
			Expires:  time.Unix(0, 0),
			HttpOnly: true,
			Secure:   secure,
			SameSite: http.SameSiteLaxMode,
		})
	}
	return nil
}
3x-ui 2023-02-09 22:48:06 +03:30			`package session`

			`import (`
			`"encoding/gob"`
cookie: MaxAge 2025-09-12 13:04:36 +02:00			`"net/http"`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`"time"`
Some fixes and improvements (#1997 ) 2024-03-11 01:01:24 +03:30
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`"github.com/mhsanaei/3x-ui/v3/database"`
v3 2026-05-10 02:13:42 +02:00			`"github.com/mhsanaei/3x-ui/v3/database/model"`
			`"github.com/mhsanaei/3x-ui/v3/logger"`
[feature] add login session timeout 2023-04-25 15:00:21 +03:30
gin-contrib v1.0.0 2024-04-21 00:56:55 +03:30			`"github.com/gin-contrib/sessions"`
3x-ui 2023-02-09 22:48:06 +03:30			`"github.com/gin-gonic/gin"`
			`)`

fix session 2024-08-06 13:44:48 +02:00			`const (`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`loginUserKey = "LOGIN_USER"`
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`loginEpochKey = "LOGIN_EPOCH"`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`apiAuthUserKey = "api_auth_user"`
			`sessionCookieName = "3x-ui"`
fix session 2024-08-06 13:44:48 +02:00			`)`
3x-ui 2023-02-09 22:48:06 +03:30
			`func init() {`
			`gob.Register(model.User{})`
			`}`

ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123 ) 2026-05-05 18:27:49 +03:00			`func SetLoginUser(c gin.Context, user model.User) error {`
fix session 2024-12-16 14:24:59 +01:00			`if user == nil {`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123 ) 2026-05-05 18:27:49 +03:00			`return nil`
fix session 2024-12-16 14:24:59 +01:00			`}`
3x-ui 2023-02-09 22:48:06 +03:30			`s := sessions.Default(c)`
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`s.Set(loginUserKey, user.Id)`
			`s.Set(loginEpochKey, user.LoginEpoch)`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123 ) 2026-05-05 18:27:49 +03:00			`return s.Save()`
3x-ui 2023-02-09 22:48:06 +03:30			`}`

Vue3 migration (#4198 ) 2026-05-09 17:38:48 +02:00			`func SetAPIAuthUser(c gin.Context, user model.User) {`
			`if user == nil {`
			`return`
			`}`
			`c.Set(apiAuthUserKey, user)`
			`}`

3x-ui 2023-02-09 22:48:06 +03:30			`func GetLoginUser(c gin.Context) model.User {`
Vue3 migration (#4198 ) 2026-05-09 17:38:48 +02:00			`if v, ok := c.Get(apiAuthUserKey); ok {`
			`if u, ok2 := v.(*model.User); ok2 {`
			`return u`
			`}`
			`}`
3x-ui 2023-02-09 22:48:06 +03:30			`s := sessions.Default(c)`
fix session 2024-12-16 14:24:59 +01:00			`obj := s.Get(loginUserKey)`
fix session 2024-08-06 13:44:48 +02:00			`if obj == nil {`
			`return nil`
3x-ui 2023-02-09 22:48:06 +03:30			`}`
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`userID, ok := sessionUserID(obj)`
fix session 2024-08-06 13:44:48 +02:00			`if !ok {`
fix session 2024-12-16 14:24:59 +01:00			`s.Delete(loginUserKey)`
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`s.Delete(loginEpochKey)`
ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123 ) 2026-05-05 18:27:49 +03:00			`if err := s.Save(); err != nil {`
			`logger.Warning("session: failed to drop stale user payload:", err)`
			`}`
fix session 2024-08-06 13:44:48 +02:00			`return nil`
			`}`
Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`if legacyUserID, ok := legacySessionUserID(obj); ok {`
			`s.Set(loginUserKey, legacyUserID)`
			`if err := s.Save(); err != nil {`
			`logger.Warning("session: failed to migrate legacy user payload:", err)`
			`}`
			`}`
			`user, err := getUserByID(userID)`
			`if err != nil {`
			`logger.Warning("session: failed to load user:", err)`
			`s.Delete(loginUserKey)`
			`s.Delete(loginEpochKey)`
			`if saveErr := s.Save(); saveErr != nil {`
			`logger.Warning("session: failed to drop missing user:", saveErr)`
			`}`
			`return nil`
			`}`
			`if !sessionEpochMatches(s.Get(loginEpochKey), user.LoginEpoch) {`
			`s.Delete(loginUserKey)`
			`s.Delete(loginEpochKey)`
			`if saveErr := s.Save(); saveErr != nil {`
			`logger.Warning("session: failed to drop stale epoch:", saveErr)`
			`}`
			`return nil`
			`}`
			`return user`
			`}`

			`func sessionEpochMatches(cookieVal any, userEpoch int64) bool {`
			`var got int64`
			`switch v := cookieVal.(type) {`
			`case nil:`
			`case int64:`
			`got = v`
			`case int:`
			`got = int64(v)`
			`case int32:`
			`got = int64(v)`
			`case float64:`
			`got = int64(v)`
			`default:`
			`return false`
			`}`
			`return got == userEpoch`
3x-ui 2023-02-09 22:48:06 +03:30			`}`

			`func IsLogin(c *gin.Context) bool {`
			`return GetLoginUser(c) != nil`
			`}`

Security hardening: sessions, SSRF, CSP nonce, CSRF logout, trusted proxies (#4275 ) 2026-05-13 12:52:52 +02:00			`func sessionUserID(obj any) (int, bool) {`
			`switch v := obj.(type) {`
			`case int:`
			`return v, v > 0`
			`case int64:`
			`return int(v), v > 0`
			`case int32:`
			`return int(v), v > 0`
			`case float64:`
			`id := int(v)`
			`return id, v == float64(id) && id > 0`
			`case model.User:`
			`return v.Id, v.Id > 0`
			`case *model.User:`
			`if v == nil {`
			`return 0, false`
			`}`
			`return v.Id, v.Id > 0`
			`default:`
			`return 0, false`
			`}`
			`}`

			`func legacySessionUserID(obj any) (int, bool) {`
			`switch v := obj.(type) {`
			`case model.User:`
			`return v.Id, v.Id > 0`
			`case *model.User:`
			`if v == nil {`
			`return 0, false`
			`}`
			`return v.Id, v.Id > 0`
			`default:`
			`return 0, false`
			`}`
			`}`

			`func getUserByID(id int) (*model.User, error) {`
			`db := database.GetDB()`
			`if db == nil {`
			`return nil, http.ErrServerClosed`
			`}`
			`user := &model.User{}`
			`if err := db.Model(model.User{}).Where("id = ?", id).First(user).Error; err != nil {`
			`return nil, err`
			`}`
			`return user, nil`
			`}`

ws/inbounds: realtime fixes + perf for 10k+ client inbounds (#4123 ) 2026-05-05 18:27:49 +03:00			`func ClearSession(c *gin.Context) error {`
3x-ui 2023-02-09 22:48:06 +03:30			`s := sessions.Default(c)`
			`s.Clear()`
v2.9.0 2026-04-20 20:03:40 +02:00			`cookiePath := c.GetString("base_path")`
			`if cookiePath == "" {`
			`cookiePath = "/"`
			`}`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`secure := c.Request.TLS != nil`
3x-ui 2023-02-09 22:48:06 +03:30			`s.Options(sessions.Options{`
v2.9.0 2026-04-20 20:03:40 +02:00			`Path: cookiePath,`
fix session 2024-08-06 13:44:48 +02:00			`MaxAge: -1,`
			`HttpOnly: true,`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`Secure: secure,`
cookie: MaxAge 2025-09-12 13:04:36 +02:00			`SameSite: http.SameSiteLaxMode,`
3x-ui 2023-02-09 22:48:06 +03:30			`})`
fix(panel): make webBasePath work end-to-end in dev and prod 2026-05-09 21:47:37 +02:00			`if err := s.Save(); err != nil {`
			`return err`
			`}`
			`if cookiePath != "/" {`
			`http.SetCookie(c.Writer, &http.Cookie{`
			`Name: sessionCookieName,`
			`Value: "",`
			`Path: "/",`
			`MaxAge: -1,`
			`Expires: time.Unix(0, 0),`
			`HttpOnly: true,`
			`Secure: secure,`
			`SameSite: http.SameSiteLaxMode,`
			`})`
			`}`
			`return nil`
3x-ui 2023-02-09 22:48:06 +03:30			`}`