feat(middleware/session): Introduce Extractor pattern for session ID retrieval by sixcolors · Pull Request #3625 · gofiber/fiber

sixcolors · 2025-07-27T17:05:29Z

Implement a flexible Extractor function pattern for session ID retrieval, replacing the previous string-based KeyLookup. Enhance session middleware to support extraction from cookies, headers, queries, and forms. Add a Regenerate method to maintain session data while changing session IDs and improve session lifecycle management by requiring manual session release. Update tests and introduce error handling for missing session IDs in various contexts.

- Replaced string-based KeyLookup with a flexible Extractor function pattern. - Updated session middleware to support Extractor for cookie, header, query, and form. - Added new Regenerate method to preserve session data while changing session ID. - Enhanced session lifecycle management by requiring manual session release. - Updated tests to reflect changes in session ID extraction and regeneration. - Introduced error handling for missing session IDs in various contexts.

…tests

…in session management

coderabbitai · 2025-07-27T17:05:35Z

Walkthrough

This update modernizes the Fiber session middleware by replacing the string-based KeyLookup configuration with a flexible extractor function approach. It introduces new extractor utilities, updates documentation, adds new session management methods including session ID regeneration, and revises tests and configuration logic to align with the new extractor pattern. Session cookie and header handling is unified by supporting multiple extractors and removing source-based branching.

Changes

Files / Group	Change Summary
docs/middleware/session.md, docs/whats_new.md	Documentation extensively revised: new quick start, usage patterns, security, extractors, config, migration guide, and API reference. "What's New" updated to highlight v3 extractor change.
middleware/session/config.go, middleware/session/config_test.go	Removed `KeyLookup` string field; replaced with `Extractor` function. Removed source type and related fields. Tests updated to validate extractor logic and new timeout validation.
middleware/session/extractors.go, middleware/session/extractors_test.go	Added new extractor functions (`FromCookie`, `FromHeader`, `FromQuery`, `FromParam`, `FromForm`) and error variables. Added `Chain` extractor to combine multiple extractors. Comprehensive unit tests added.
middleware/session/middleware.go, middleware/session/middleware_test.go	Added `Regenerate()` method to middleware for session ID regeneration preserving data. Tests extended to cover regeneration and reset flows, and updated to use extractor config.
middleware/session/session.go	Added `getExtractorInfo()` method to retrieve all cookie and header extractors from config. Refactored `setSession()` and `delSession()` to handle multiple extractors, setting or deleting session IDs accordingly. Removed source-based conditional logic to unify session ID handling.
middleware/session/session_test.go, middleware/session/store_test.go	Tests updated to use extractor-based config for session ID retrieval from headers and query parameters; adjusted header assertions accordingly. Added tests for chained extractors behavior.
middleware/session/store.go	Refactored `getSessionID` method to use configured extractor function instead of manual source checks. Simplified logic and removed dependency on utils package.
middleware/csrf/csrf_test.go	Updated session store initialization in CSRF tests to use new `Extractor` field with `FromCookie` instead of deprecated `KeyLookup` string.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant FiberApp
    participant SessionMiddleware
    participant Extractor
    participant Store

    Client->>FiberApp: Sends HTTP request
    FiberApp->>SessionMiddleware: Passes request
    SessionMiddleware->>Extractor: Extract session ID (e.g., FromCookie)
    Extractor-->>SessionMiddleware: Returns session ID or error
    alt session ID found
        SessionMiddleware->>Store: Retrieve session by ID
    else no session ID
        SessionMiddleware->>Store: Create new session
    end
    SessionMiddleware-->>FiberApp: Attach session to context
    FiberApp->>SessionMiddleware: (on response) Save session
    SessionMiddleware->>Store: Save session data
    Store-->>SessionMiddleware: Ack
    SessionMiddleware->>Client: Set cookie with session ID

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~40 minutes

Possibly related PRs

feat!(middleware/session): re-write session middleware with handler #3016: The main PR and this one both involve major rewrites and enhancements of the session middleware, including changes to session store initialization and session management methods, indicating a strong code-level connection.
📚 Doc: Optimize the menu item text #3267: Both PRs involve major updates to session middleware documentation and migration guides for the same version upgrade.

Suggested labels

SessionMW, v3

Suggested reviewers

gaby
ReneWerner87

Poem

Hopping through the session fields anew,
With extractors fresh and cookies true,
Regenerate, reset, and chain—
Rabbits dance in code’s domain.
Docs are clear, the flow refined,
Secure and nimble, well-aligned!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 471f17e and 49b8a40.

📒 Files selected for processing (1)

docs/middleware/session.md (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

docs/**

📄 CodeRabbit Inference Engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

docs/middleware/session.md

🧠 Learnings (2)

📓 Common learnings

Learnt from: sixcolors
PR: gofiber/fiber#3625
File: middleware/session/config.go:57-58
Timestamp: 2025-07-27T17:28:53.403Z
Learning: In the session middleware `Config` struct, the `Extractor` field uses function closures (like `FromCookie(key)`), making it impossible to introspect extractor parameters at runtime for validation purposes without complex reflection techniques.

Learnt from: ReneWerner87
PR: gofiber/fiber#0
File: :0-0
Timestamp: 2024-12-01T10:28:36.011Z
Learning: Feature request #3224 has been created to add support for square bracket notation and comma-separated values in multipart form data in Fiber, while maintaining binary data transfer capabilities. This would bring parity with the existing form-urlencoded functionality.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-07-01T03:44:03.672Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: sixcolors
PR: gofiber/fiber#3016
File: middleware/session/config.go:16-26
Timestamp: 2024-09-25T16:17:00.969Z
Learning: In the session middleware `Config` struct, `Store` is backed by `fiber.Storage`; they are different entities serving distinct purposes in session management.

Learnt from: sixcolors
PR: gofiber/fiber#3016
File: middleware/session/config.go:16-26
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the session middleware `Config` struct, `Store` is backed by `fiber.Storage`; they are different entities serving distinct purposes in session management.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-07-01T03:33:22.283Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Learnt from: ReneWerner87
PR: gofiber/fiber#3161
File: app.go:923-932
Timestamp: 2024-11-15T07:56:21.623Z
Learning: In the Fiber framework, breaking changes are acceptable when moving from version 2 to version 3, including modifications to method signatures such as in the `Test` method in `app.go`.

Learnt from: ksw2000
PR: gofiber/fiber#0
File: :0-0
Timestamp: 2025-07-08T13:41:20.627Z
Learning: ksw2000 suggests implementing a pluggable encoder/decoder registry system in Fiber instead of hardcoding all encoders in app.config. This would solve dependency management issues by allowing users to opt-in only to the formats they need, keeping JSON and XML as defaults while making CBOR and MsgPack explicit registrations.

docs/middleware/session.md (31)

Learnt from: sixcolors
PR: #3625
File: middleware/session/config.go:57-58
Timestamp: 2025-07-27T17:28:53.403Z
Learning: In the session middleware Config struct, the Extractor field uses function closures (like FromCookie(key)), making it impossible to introspect extractor parameters at runtime for validation purposes without complex reflection techniques.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/csrf_test.go:164-165
Timestamp: 2024-09-25T17:08:07.693Z
Learning: In the Test_CSRF_WithSession_Middleware function, calling session.NewWithStore() without arguments is acceptable, as the default configuration is sufficient.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/csrf_test.go:164-165
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Test_CSRF_WithSession_Middleware function, calling session.NewWithStore() without arguments is acceptable, as the default configuration is sufficient.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:16-26
Timestamp: 2024-09-25T16:17:00.969Z
Learning: In the session middleware Config struct, Store is backed by fiber.Storage; they are different entities serving distinct purposes in session management.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:16-26
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the session middleware Config struct, Store is backed by fiber.Storage; they are different entities serving distinct purposes in session management.

Learnt from: ReneWerner87
PR: #3598
File: docs/middleware/csrf.md:364-366
Timestamp: 2025-07-19T18:04:19.891Z
Learning: Both *Session and *Middleware in the session package have Destroy() methods with the signature func Destroy() error that take no arguments. The method is called directly on the session middleware instance without any parameters.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/session_manager.go:30-43
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the session middleware, session.FromContext(c) returns *session.Middleware, whereas m.session.Get(c) returns *session.Store, so they are not directly interchangeable.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/session_manager.go:30-43
Timestamp: 2024-09-25T16:15:39.392Z
Learning: In the session middleware, session.FromContext(c) returns *session.Middleware, whereas m.session.Get(c) returns *session.Store, so they are not directly interchangeable.

Learnt from: sixcolors
PR: #3051
File: middleware/session/session.go:215-216
Timestamp: 2024-06-30T00:38:06.580Z
Learning: Parallel tests for Session.Save already exist in the middleware/session/session_test.go file, specifically in the Test_Session_Save and Test_Session_Save_Expiration functions.

Learnt from: sixcolors
PR: #3051
File: middleware/session/session.go:215-216
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Parallel tests for Session.Save already exist in the middleware/session/session_test.go file, specifically in the Test_Session_Save and Test_Session_Save_Expiration functions.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the Fiber framework tests, using ctx.Response.Header.Cookie may not be suitable for parsing cookies from the response header, as it requires a *Cookie and fills it rather than returning a string value; thus, manual parsing of the Set-Cookie header may be necessary.

Learnt from: sixcolors
PR: #3016
File: middleware/csrf/csrf_test.go:188-193
Timestamp: 2024-09-25T15:57:10.221Z
Learning: In the Fiber framework tests, using ctx.Response.Header.Cookie may not be suitable for parsing cookies from the response header, as it requires a *Cookie and fills it rather than returning a string value; thus, manual parsing of the Set-Cookie header may be necessary.

Learnt from: sixcolors
PR: #3598
File: docs/middleware/csrf.md:37-42
Timestamp: 2025-07-19T14:06:29.884Z
Learning: In Fiber v3, the CookieSameSite constants use lowercase values: CookieSameSiteLaxMode = "lax", CookieSameSiteStrictMode = "strict", CookieSameSiteNoneMode = "none". Documentation examples should use lowercase string values or the typed constants, not capitalized strings like "Lax".

Learnt from: hcancelik
PR: #3036
File: docs/middleware/cache.md:103-103
Timestamp: 2024-06-15T19:26:06.401Z
Learning: There are no hard tabs in the lines 100 to 105 of the docs/middleware/cache.md file. Future comments about formatting should accurately reflect the actual content.

Learnt from: hcancelik
PR: #3036
File: docs/middleware/cache.md:103-103
Timestamp: 2024-10-08T19:06:06.583Z
Learning: There are no hard tabs in the lines 100 to 105 of the docs/middleware/cache.md file. Future comments about formatting should accurately reflect the actual content.

Learnt from: sixcolors
PR: #3016
File: middleware/session/session.go:272-293
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the middleware/session/session.go file, the saveSession() method returns either nil or an error, so additional error wrapping in the Save() method is unnecessary.

Learnt from: sixcolors
PR: #3016
File: middleware/session/session.go:272-293
Timestamp: 2024-10-02T15:16:39.868Z
Learning: In the middleware/session/session.go file, the saveSession() method returns either nil or an error, so additional error wrapping in the Save() method is unnecessary.

Learnt from: sixcolors
PR: #3016
File: middleware/session/middleware_test.go:400-407
Timestamp: 2024-09-25T17:09:03.756Z
Learning: In the Test_Session_Next function in middleware/session/middleware_test.go, the variable doNext is properly synchronized with the muNext mutex for both read and write access.

Learnt from: sixcolors
PR: #3016
File: middleware/session/session.go:46-61
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In this codebase, the sessionPool only contains Session instances, so type assertions without additional checks are acceptable.

Learnt from: sixcolors
PR: #3016
File: middleware/session/session.go:46-61
Timestamp: 2024-10-02T23:02:12.306Z
Learning: In this codebase, the sessionPool only contains Session instances, so type assertions without additional checks are acceptable.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:122-122
Timestamp: 2024-09-25T16:18:34.719Z
Learning: In DefaultErrorHandler(c *fiber.Ctx, err error), since c is a pointer to an interface, we need to dereference *c when calling interface methods like SendStatus.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:122-122
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In DefaultErrorHandler(c *fiber.Ctx, err error), since c is a pointer to an interface, we need to dereference *c when calling interface methods like SendStatus.

Learnt from: sixcolors
PR: #3051
File: middleware/session/session.go:215-216
Timestamp: 2024-10-08T19:06:06.583Z
Learning: The session.Save() method in the middleware/session package returns the Session back to sync.Pool.

Learnt from: sixcolors
PR: #3051
File: middleware/session/session.go:215-216
Timestamp: 2024-06-30T00:38:06.580Z
Learning: The session.Save() method in the middleware/session package returns the Session back to sync.Pool.

Learnt from: gaby
PR: #3193
File: middleware/cache/cache_test.go:897-897
Timestamp: 2024-11-08T04:10:42.990Z
Learning: In the Fiber framework, Context() is being renamed to RequestCtx(), and UserContext() to Context() to improve clarity and align with Go's context conventions.

Learnt from: mdelapenya
PR: #3434
File: docs/api/services.md:39-43
Timestamp: 2025-05-07T13:07:33.899Z
Learning: When documenting Go interface methods in the Fiber project, avoid showing method signatures with the interface type as the receiver (e.g., func (d *Service) Method()) since interfaces cannot be used as receivers in Go. Instead, show just the method signature without a receiver or use a placeholder implementation name.

Learnt from: gaby
PR: #3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both EncryptCookie and DecryptCookie functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: gaby
PR: #3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-07-01T03:44:03.672Z
Learning: Unit tests for key length enforcement in both EncryptCookie and DecryptCookie functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: efectn
PR: #3162
File: hooks_test.go:228-228
Timestamp: 2024-12-13T08:14:22.851Z
Learning: In Go test files, prefer using the require methods from the testify package for assertions instead of manual comparisons and calls to t.Fatal or t.Fatalf.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:26-26
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the session middleware, the newStore, New, and NewWithStore functions ensure that a Store is present even if it is not initialized in ConfigDefault.

Learnt from: sixcolors
PR: #3016
File: middleware/session/config.go:26-26
Timestamp: 2024-09-25T16:18:46.641Z
Learning: In the session middleware, the newStore, New, and NewWithStore functions ensure that a Store is present even if it is not initialized in ConfigDefault.

🪛 LanguageTool

docs/middleware/session.md

[style] ~338-~338: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ... Only cookie is set in the response - Only Header extractors: Only header is set...

(ADVERB_REPETITION_PREMIUM)

[style] ~339-~339: This adverb was used twice in the sentence. Consider removing one of them or replacing them with a synonym.
Context: ... Only header is set in the response - Only Query/Form/Param extractors: No respo...

(ADVERB_REPETITION_PREMIUM)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

GitHub Check: Compare
GitHub Check: repeated
GitHub Check: lint
GitHub Check: unit (1.24.x, windows-latest)

✨ Finishing Touches

🧪 Generate unit tests

Create PR with unit tests
Post copyable unit tests in a comment
Commit unit tests in branch session-extractors

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

Review comments: Directly reply to a review comment made by CodeRabbit. Example:
- I pushed a fix in commit <commit_id>, please review it.
- Explain this complex logic.
- Open a follow-up GitHub issue for this discussion.
Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
- @coderabbitai explain this code block.
- @coderabbitai modularize this function.
PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
- @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
- @coderabbitai read src/utils.ts and explain its main purpose.
- @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
- @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

@coderabbitai pause to pause the reviews on a PR.
@coderabbitai resume to resume the paused reviews.
@coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
@coderabbitai full review to do a full review from scratch and review all the files again.
@coderabbitai summary to regenerate the summary of the PR.
@coderabbitai generate docstrings to generate docstrings for this PR.
@coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
@coderabbitai generate unit tests to generate unit tests for this PR.
@coderabbitai resolve resolve all the CodeRabbit review comments.
@coderabbitai configuration to show the current CodeRabbit configuration for the repository.
@coderabbitai help to get help.

Other keywords and placeholders

Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (`.coderabbit.yaml`)

You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
Please see the configuration documentation for more information.
If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

Visit our Documentation for detailed information on how to use CodeRabbit.
Join our Discord Community to get help, request features, and share feedback.
Follow us on X/Twitter for updates and announcements.

gemini-code-assist

Summary of Changes

Hello @sixcolors, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a more robust and flexible session ID extraction mechanism, moving from a simple string lookup to a powerful function-based Extractor pattern. It also enhances session security by adding a Regenerate method to prevent session fixation and provides comprehensive documentation updates to guide users on best practices for session management and security in Fiber applications.

Highlights

Flexible Session ID Extraction: The previous string-based KeyLookup configuration for session ID retrieval has been replaced with a new, more flexible Extractor function pattern. This allows session IDs to be extracted from various sources including cookies, headers, URL queries, form data, and URL path parameters. A Chain function is also introduced to allow multiple extraction methods with fallback.
Enhanced Session Lifecycle Management: A new Regenerate method has been added to the session middleware. This method allows changing the session ID while preserving all existing session data, which is a critical security feature to prevent session fixation attacks, especially after user authentication. The documentation now clearly distinguishes between Regenerate, Reset (change ID, clear data), and Destroy (keep ID, clear data).
Improved Security Practices and Documentation: The session middleware documentation has been significantly updated to provide clearer guidance on usage patterns, security best practices (including session fixation prevention), and detailed configuration options. It also clarifies the manual session release requirement for the advanced 'Store Pattern' usage.
Refined Session Timeout Handling: The session expiration logic has been refined, replacing the single Expiration field with distinct IdleTimeout (inactivity timeout) and AbsoluteTimeout (maximum session duration) fields for more precise control over session lifespan.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

gemini-code-assist

Code Review

This pull request introduces the Extractor pattern for session ID retrieval, enhancing session middleware flexibility. The documentation has been extensively updated. I have provided suggestions to improve clarity in the documentation and address a potential point of confusion in the configuration.

docs/middleware/session.md

middleware/session/config.go

docs/middleware/session.md

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (2)

docs/whats_new.md (1)
1309-1309: Fix duplicate heading to resolve markdownlint warning.

The heading "### Session" appears twice in this section, causing a markdownlint violation. Consider differentiating the headings to clearly distinguish their content.
-### Session
+### Session Extractor Pattern
Or alternatively, consider combining the content under a single section with appropriate subheadings.
middleware/session/extractors.go (1)
40-49: FromForm implementation with minor documentation improvement needed.

The implementation correctly uses c.FormValue(param) which handles both multipart and URL-encoded forms. However, the comment on line 40 says "multipart-form" when it actually supports both form encoding types.

Consider updating the comment for accuracy:
-// FromForm returns a function that extracts session ID from a multipart-form.
+// FromForm returns a function that extracts session ID from form data (both multipart and URL-encoded).

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c0b2617 and e4b6b88.

📒 Files selected for processing (13)

docs/middleware/session.md (1 hunks)
docs/whats_new.md (1 hunks)
middleware/csrf/csrf_test.go (3 hunks)
middleware/session/config.go (4 hunks)
middleware/session/config_test.go (2 hunks)
middleware/session/extractors.go (1 hunks)
middleware/session/extractors_test.go (1 hunks)
middleware/session/middleware.go (1 hunks)
middleware/session/middleware_test.go (4 hunks)
middleware/session/session.go (1 hunks)
middleware/session/session_test.go (2 hunks)
middleware/session/store.go (2 hunks)
middleware/session/store_test.go (2 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

docs/**

📄 CodeRabbit Inference Engine (.github/copilot-instructions.md)

Review and update the contents of the docs folder if necessary when modifying code

Files:

docs/whats_new.md
docs/middleware/session.md

🧠 Learnings (14)

📓 Common learnings

Learnt from: ReneWerner87
PR: gofiber/fiber#0
File: :0-0
Timestamp: 2024-12-01T10:28:36.011Z
Learning: Feature request #3224 has been created to add support for square bracket notation and comma-separated values in multipart form data in Fiber, while maintaining binary data transfer capabilities. This would bring parity with the existing form-urlencoded functionality.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:20-23
Timestamp: 2024-07-01T03:44:03.672Z
Learning: Unit tests for key length enforcement in both `EncryptCookie` and `DecryptCookie` functions have been added to ensure robust validation and prevent potential runtime errors.

Learnt from: sixcolors
PR: gofiber/fiber#3016
File: middleware/session/config.go:16-26
Timestamp: 2024-09-25T16:17:00.969Z
Learning: In the session middleware `Config` struct, `Store` is backed by `fiber.Storage`; they are different entities serving distinct purposes in session management.

Learnt from: sixcolors
PR: gofiber/fiber#3016
File: middleware/session/config.go:16-26
Timestamp: 2024-10-08T19:06:06.583Z
Learning: In the session middleware `Config` struct, `Store` is backed by `fiber.Storage`; they are different entities serving distinct purposes in session management.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-10-08T19:06:06.583Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Learnt from: gaby
PR: gofiber/fiber#3056
File: middleware/encryptcookie/utils.go:51-54
Timestamp: 2024-07-01T03:33:22.283Z
Learning: Unit tests for key length enforcement in `DecryptCookie` have been added to ensure consistency and security in the encryption processes.

Learnt from: ReneWerner87
PR: gofiber/fiber#3161
File: app.go:923-932
Timestamp: 2024-11-15T07:56:21.623Z
Learning: In the Fiber framework, breaking changes are acceptable when moving from version 2 to version 3, including modifications to method signatures such as in the `Test` method in `app.go`.

middleware/session/session_test.go (23)