Move session management into session manager. Split the cookies to avoid the 4k limit ( resolves issue: #15 )

This reverts commit dedbdf63c3.

.traefik.yml

@@ -13,6 +13,7 @@ testData:
   clientSecret: secret
   callbackURL: /oauth2/callback
   logoutURL: /oauth2/logout
+  postLogoutRedirectURI: /oidc/different-logout # If not provided it will redirect to the "/" URL
   scopes: # If not provided, default scopes will be used (openid, email, profile)
     - openid
     - email

README.md

@@ -38,6 +38,7 @@ spec:
       sessionEncryptionKey: vvv
       callbackURL: /cool-oidc/callback
       logoutURL: /cool-oidc/logout
+      postLogoutRedirectURI: /my-website/you-have-logged-out # Optional post logout URL redirection
       scopes:
         - openid
         - email

go.mod

@@ -6,7 +6,7 @@ toolchain go1.23.1
 
 require (
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/sessions v1.4.0
+	github.com/gorilla/sessions v1.3.0
 	golang.org/x/time v0.7.0
 )
 

go.sum

@@ -6,9 +6,5 @@ github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kX
 github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
 github.com/gorilla/sessions v1.3.0 h1:XYlkq7KcpOB2ZhHBPv5WpjMIxrQosiZanfoy1HLZFzg=
 github.com/gorilla/sessions v1.3.0/go.mod h1:ePLdVu+jbEgHH+KWw8I1z2wqd0BAdAQh/8LRvBeoNcQ=
-github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
-github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
-golang.org/x/time v0.5.0 h1:o7cqy6amK/52YcAKIPlM3a+Fpj35zvRj2TP+e1xFSfk=
-golang.org/x/time v0.5.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
 golang.org/x/time v0.7.0 h1:ntUhktv3OPE6TgYxXWv9vKvUSJyIFJlyohwbkEwPrKQ=
 golang.org/x/time v0.7.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=

helpers.go

@@ -13,10 +13,19 @@ import (
 	"sync"
 	"time"
 
-	"github.com/google/uuid"
 	"github.com/gorilla/sessions"
 )
 
+func newSessionOptions(isSecure bool) *sessions.Options {
+	return &sessions.Options{
+		HttpOnly: true,
+		Secure:   isSecure,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   ConstSessionTimeout,
+		Path:     "/",
+	}
+}
+
 // generateNonce generates a random nonce
 func generateNonce() (string, error) {
 	nonceBytes := make([]byte, 32)
@@ -27,14 +36,6 @@ func generateNonce() (string, error) {
 	return base64.URLEncoding.EncodeToString(nonceBytes), nil
 }
 
-// buildFullURL constructs a full URL from scheme, host, and path
-func buildFullURL(scheme, host, path string) string {
-	if scheme == "" {
-		scheme = "http"
-	}
-	return fmt.Sprintf("%s://%s%s", scheme, host, path)
-}
-
 // exchangeTokens exchanges a code or refresh token for tokens
 func (t *TraefikOidc) exchangeTokens(ctx context.Context, grantType, codeOrToken, redirectURL string) (*TokenResponse, error) {
 	data := url.Values{
@@ -97,77 +98,22 @@ func (t *TraefikOidc) getNewTokenWithRefreshToken(refreshToken string) (*TokenRe
 	return tokenResponse, nil
 }
 
-// handleLogout handles the user logout
-func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
-	session, err := t.store.Get(req, cookieName)
-	t.logger.Debugf("Logging out user")
-	if err != nil {
-		handleError(rw, "Session error", http.StatusInternalServerError, t.logger)
-		return
-	}
-
-	// Revoke tokens if available
-	if refreshToken, ok := session.Values["refresh_token"].(string); ok && refreshToken != "" {
-		if err := t.RevokeTokenWithProvider(refreshToken, "refresh_token"); err != nil {
-			t.logger.Errorf("Failed to revoke refresh token: %v", err)
-		}
-		t.RevokeToken(refreshToken)
-	}
-	if accessToken, ok := session.Values["access_token"].(string); ok && accessToken != "" {
-		if err := t.RevokeTokenWithProvider(accessToken, "access_token"); err != nil {
-			t.logger.Errorf("Failed to revoke access token: %v", err)
-		}
-		t.RevokeToken(accessToken)
-	}
-
-	// Remove tokens from session
-	delete(session.Values, "id_token")
-	delete(session.Values, "refresh_token")
-	delete(session.Values, "access_token")
-	delete(session.Values, "authenticated")
-
-	// Set session options to delete the session
-	session.Options = defaultSessionOptions
-	session.Options.MaxAge = -1
-
-	if err := session.Save(req, rw); err != nil {
-		handleError(rw, "Failed to save session", http.StatusInternalServerError, t.logger)
-		return
-	}
-
-	// Redirect or display logout message
-	rw.WriteHeader(http.StatusOK)
-	rw.Write([]byte("Logged out successfully"))
-}
-
 // handleExpiredToken handles the case when a token has expired
-func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Request, session *sessions.Session) {
+func (t *TraefikOidc) handleExpiredToken(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
 	// Clear the existing session
-	session.Options.MaxAge = -1
-	for k := range session.Values {
-		delete(session.Values, k)
-	}
-
-	// Set new values
-	session.Values["csrf"] = uuid.New().String()
-	session.Values["incoming_path"] = req.URL.Path
-	session.Values["nonce"], _ = generateNonce()
-	session.Options = defaultSessionOptions
-
-	// Save the session before initiating authentication
-	if err := session.Save(req, rw); err != nil {
-		t.logger.Errorf("Failed to save session: %v", err)
+	if err := session.Clear(req, rw); err != nil {
+		t.logger.Errorf("Failed to clear session: %v", err)
 		http.Error(rw, "Internal Server Error", http.StatusInternalServerError)
 		return
 	}
 
-	// Initiate a new authentication flow
-	t.initiateAuthenticationFunc(rw, req, session, t.redirectURL)
+	// Initialize new authentication
+	t.defaultInitiateAuthentication(rw, req, session, redirectURL)
 }
 
 // handleCallback handles the callback from the OIDC provider
-func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request) {
-	session, err := t.store.Get(req, cookieName)
+func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request, redirectURL string) {
+	session, err := t.sessionManager.GetSession(req)
 	if err != nil {
 		t.logger.Errorf("Session error: %v", err)
 		http.Error(rw, "Session error", http.StatusInternalServerError)
@@ -184,26 +130,28 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	// Validate the state parameter matches the session's CSRF token
+	// Validate state parameter matches the session's CSRF token
 	state := req.URL.Query().Get("state")
 	if state == "" {
 		t.logger.Error("No state in callback")
 		http.Error(rw, "State parameter missing in callback", http.StatusBadRequest)
 		return
 	}
-	csrfToken, ok := session.Values["csrf"].(string)
-	if !ok || csrfToken == "" {
+
+	csrfToken := session.GetCSRF()
+	if csrfToken == "" {
 		t.logger.Error("CSRF token missing in session")
 		http.Error(rw, "CSRF token missing", http.StatusBadRequest)
 		return
 	}
+
 	if state != csrfToken {
 		t.logger.Error("State parameter does not match CSRF token in session")
 		http.Error(rw, "Invalid state parameter", http.StatusBadRequest)
 		return
 	}
 
-	// Proceed to exchange the code for tokens
+	// Exchange code for tokens
 	code := req.URL.Query().Get("code")
 	if code == "" {
 		t.logger.Error("No code in callback")
@@ -211,56 +159,49 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	tokenResponse, err := t.exchangeCodeForTokenFunc(code)
+	tokenResponse, err := t.exchangeCodeForTokenFunc(code, redirectURL)
 	if err != nil {
 		t.logger.Errorf("Failed to exchange code for token: %v", err)
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
 
-	// Extract id_token
-	idToken := tokenResponse.IDToken
-	if idToken == "" {
-		t.logger.Error("No id_token in token response")
-		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
-		return
-	}
-
-	// Verify the id_token
-	if err := t.verifyToken(idToken); err != nil {
+	// Verify and process tokens
+	if err := t.verifyToken(tokenResponse.IDToken); err != nil {
 		t.logger.Errorf("Failed to verify id_token: %v", err)
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
 
-	// Extract claims from id_token
-	claims, err := t.extractClaimsFunc(idToken)
+	claims, err := t.extractClaimsFunc(tokenResponse.IDToken)
 	if err != nil {
 		t.logger.Errorf("Failed to extract claims: %v", err)
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
 
-	// Verify the nonce claim matches the one stored in session
+	// Verify nonce
 	nonceClaim, ok := claims["nonce"].(string)
 	if !ok || nonceClaim == "" {
 		t.logger.Error("Nonce claim missing in id_token")
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
-	sessionNonce, ok := session.Values["nonce"].(string)
-	if !ok || sessionNonce == "" {
+
+	sessionNonce := session.GetNonce()
+	if sessionNonce == "" {
 		t.logger.Error("Nonce not found in session")
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
+
 	if nonceClaim != sessionNonce {
 		t.logger.Error("Nonce claim does not match session nonce")
 		http.Error(rw, "Authentication failed", http.StatusInternalServerError)
 		return
 	}
 
-	// Get the email from claims
+	// Process email
 	email, _ := claims["email"].(string)
 	if email == "" || !t.isAllowedDomain(email) {
 		t.logger.Errorf("Invalid or disallowed email: %s", email)
@@ -268,31 +209,25 @@ func (t *TraefikOidc) handleCallback(rw http.ResponseWriter, req *http.Request)
 		return
 	}
 
-	// Store tokens and authentication status in session
-	session.Values["authenticated"] = true
-	session.Values["email"] = email
-	session.Values["id_token"] = idToken
-	session.Values["refresh_token"] = tokenResponse.RefreshToken
-	session.Options = defaultSessionOptions
-
-	// Remove CSRF and nonce from session
-	delete(session.Values, "csrf")
-	delete(session.Values, "nonce")
+	// Update session with new values
+	session.SetAuthenticated(true)
+	session.SetEmail(email)
+	session.SetAccessToken(tokenResponse.IDToken)
+	session.SetRefreshToken(tokenResponse.RefreshToken)
 
+	// Save session
 	if err := session.Save(req, rw); err != nil {
 		t.logger.Errorf("Failed to save session: %v", err)
 		http.Error(rw, "Failed to save session", http.StatusInternalServerError)
 		return
 	}
 
-	t.logger.Debugf("Authentication successful. User email: %s", email)
-
-	// Redirect to the original requested path or default to root
+	// Redirect to original path or root
 	redirectPath := "/"
-	if path, ok := session.Values["incoming_path"].(string); ok && path != t.redirURLPath {
-		t.logger.Debugf("Redirecting to incoming path from original request: %s", path)
-		redirectPath = path
+	if incomingPath := session.GetIncomingPath(); incomingPath != "" && incomingPath != t.redirURLPath {
+		redirectPath = incomingPath
 	}
+
 	http.Redirect(rw, req, redirectPath, http.StatusFound)
 }
 
@@ -397,9 +332,9 @@ func (tc *TokenCache) Cleanup() {
 }
 
 // exchangeCodeForToken exchanges the authorization code for tokens
-func (t *TraefikOidc) exchangeCodeForToken(code string) (*TokenResponse, error) {
+func (t *TraefikOidc) exchangeCodeForToken(code string, redirectURL string) (*TokenResponse, error) {
 	ctx := context.Background()
-	tokenResponse, err := t.exchangeTokens(ctx, "authorization_code", code, t.redirectURL)
+	tokenResponse, err := t.exchangeTokens(ctx, "authorization_code", code, redirectURL)
 	if err != nil {
 		return nil, fmt.Errorf("failed to exchange code for token: %w", err)
 	}
@@ -414,3 +349,69 @@ func createStringMap(keys []string) map[string]struct{} {
 	}
 	return result
 }
+
+// handleLogout handles the logout request
+func (t *TraefikOidc) handleLogout(rw http.ResponseWriter, req *http.Request) {
+	session, err := t.sessionManager.GetSession(req)
+	if err != nil {
+		t.logger.Errorf("Error getting session: %v", err)
+		http.Error(rw, "Session error", http.StatusInternalServerError)
+		return
+	}
+
+	// Get the access token before clearing session
+	accessToken := session.GetAccessToken()
+
+	// Clear all session data
+	if err := session.Clear(req, rw); err != nil {
+		t.logger.Errorf("Error clearing session: %v", err)
+		http.Error(rw, "Session error", http.StatusInternalServerError)
+		return
+	}
+
+	// Get the base URL for redirects
+	host := t.determineHost(req)
+	scheme := t.determineScheme(req)
+	baseURL := fmt.Sprintf("%s://%s", scheme, host)
+
+	// Determine post logout redirect URI
+	postLogoutRedirectURI := t.postLogoutRedirectURI
+	if postLogoutRedirectURI == "" {
+		postLogoutRedirectURI = fmt.Sprintf("%s/", baseURL)
+	} else if !strings.HasPrefix(postLogoutRedirectURI, "http") {
+		postLogoutRedirectURI = fmt.Sprintf("%s%s", baseURL, postLogoutRedirectURI)
+	}
+
+	// If we have an end session endpoint and an access token, use OIDC end session
+	if t.endSessionURL != "" && accessToken != "" {
+		logoutURL, err := BuildLogoutURL(t.endSessionURL, accessToken, postLogoutRedirectURI)
+		if err != nil {
+			t.logger.Errorf("Failed to build logout URL: %v", err)
+			http.Error(rw, "Logout error", http.StatusInternalServerError)
+			return
+		}
+		http.Redirect(rw, req, logoutURL, http.StatusFound)
+		return
+	}
+
+	// Otherwise, redirect to post logout URI
+	http.Redirect(rw, req, postLogoutRedirectURI, http.StatusFound)
+}
+
+// BuildLogoutURL constructs the OIDC end session URL
+func BuildLogoutURL(endSessionURL, idToken, postLogoutRedirectURI string) (string, error) {
+	u, err := url.Parse(endSessionURL)
+	if err != nil {
+		return "", fmt.Errorf("failed to parse end session URL: %w", err)
+	}
+
+	q := u.Query()
+	q.Set("id_token_hint", idToken)
+	if postLogoutRedirectURI != "" {
+		// Ensure postLogoutRedirectURI is properly URL encoded
+		q.Set("post_logout_redirect_uri", postLogoutRedirectURI)
+	}
+	u.RawQuery = q.Encode()
+
+	return u.String(), nil
+}

main.go

@@ -14,7 +14,6 @@ import (
 	"time"
 
 	"github.com/google/uuid"
-	"github.com/gorilla/sessions"
 	"golang.org/x/time/rate"
 )
 
@@ -34,7 +33,6 @@ type JWTVerifier interface {
 type TraefikOidc struct {
 	next                       http.Handler
 	name                       string
-	store                      sessions.Store
 	redirURLPath               string
 	logoutURLPath              string
 	issuerURL                  string
@@ -53,26 +51,29 @@ type TraefikOidc struct {
 	tokenCache                 *TokenCache
 	httpClient                 *http.Client
 	logger                     *Logger
-	redirectURL                string
 	tokenVerifier              TokenVerifier
 	jwtVerifier                JWTVerifier
 	excludedURLs               map[string]struct{}
 	allowedUserDomains         map[string]struct{}
 	allowedRolesAndGroups      map[string]struct{}
-	initiateAuthenticationFunc func(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string)
-	exchangeCodeForTokenFunc   func(code string) (*TokenResponse, error)
+	initiateAuthenticationFunc func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string)
+	exchangeCodeForTokenFunc   func(code string, redirectURL string) (*TokenResponse, error)
 	extractClaimsFunc          func(tokenString string) (map[string]interface{}, error)
-	initOnce                   sync.Once
 	initComplete               chan struct{}
+	endSessionURL              string
+	baseURL                    string
+	postLogoutRedirectURI      string
+	sessionManager             *SessionManager
 }
 
 // ProviderMetadata holds OIDC provider metadata
 type ProviderMetadata struct {
-	Issuer    string `json:"issuer"`
-	AuthURL   string `json:"authorization_endpoint"`
-	TokenURL  string `json:"token_endpoint"`
-	JWKSURL   string `json:"jwks_uri"`
-	RevokeURL string `json:"revocation_endpoint"`
+	Issuer        string `json:"issuer"`
+	AuthURL       string `json:"authorization_endpoint"`
+	TokenURL      string `json:"token_endpoint"`
+	JWKSURL       string `json:"jwks_uri"`
+	RevokeURL     string `json:"revocation_endpoint"`
+	EndSessionURL string `json:"end_session_endpoint"`
 }
 
 // defaultExcludedURLs are the paths that are excluded from authentication
@@ -82,6 +83,14 @@ var defaultExcludedURLs = map[string]struct{}{
 
 var newTicker = time.NewTicker
 
+var (
+	globalMetadataCache struct {
+		sync.Once
+		metadata *ProviderMetadata
+		err      error
+	}
+)
+
 // VerifyToken verifies the provided JWT token
 func (t *TraefikOidc) VerifyToken(token string) error {
 	t.logger.Debugf("Verifying token")
@@ -175,9 +184,6 @@ func (t *TraefikOidc) VerifyJWTSignatureAndClaims(jwt *JWT, token string) error
 
 // New creates a new instance of the OIDC middleware
 func New(ctx context.Context, next http.Handler, config *Config, name string) (http.Handler, error) {
-	store := sessions.NewCookieStore([]byte(config.SessionEncryptionKey))
-	store.Options = defaultSessionOptions
-
 	// Setup HTTP client
 	transport := &http.Transport{
 		Proxy: http.ProxyFromEnvironment,
@@ -190,7 +196,7 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		},
 		ForceAttemptHTTP2:     true,
 		TLSHandshakeTimeout:   10 * time.Second,
-		ExpectContinueTimeout: 1 * time.Second,
+		ExpectContinueTimeout: 0,
 		MaxIdleConns:          100,
 		MaxIdleConnsPerHost:   100,
 		IdleConnTimeout:       90 * time.Second,
@@ -209,7 +215,6 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 	t := &TraefikOidc{
 		next:         next,
 		name:         name,
-		store:        store,
 		redirURLPath: config.CallbackURL,
 		logoutURLPath: func() string {
 			if config.LogoutURL == "" {
@@ -217,6 +222,12 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 			}
 			return config.LogoutURL
 		}(),
+		postLogoutRedirectURI: func() string {
+			if config.PostLogoutRedirectURI == "" {
+				return "/"
+			}
+			return config.PostLogoutRedirectURI
+		}(),
 		tokenBlacklist:        NewTokenBlacklist(),
 		jwkCache:              &JWKCache{},
 		clientID:              config.ClientID,
@@ -233,9 +244,10 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 		initComplete:          make(chan struct{}),
 	}
 
+	t.sessionManager = NewSessionManager(config.SessionEncryptionKey, config.ForceHTTPS, t.logger)
 	t.extractClaimsFunc = extractClaims
 	t.exchangeCodeForTokenFunc = t.exchangeCodeForToken
-	t.initiateAuthenticationFunc = func(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string) {
+	t.initiateAuthenticationFunc = func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
 		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
 	}
 
@@ -254,20 +266,26 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 
 // initializeMetadata discovers and initializes the provider metadata
 func (t *TraefikOidc) initializeMetadata(providerURL string) {
-	t.initOnce.Do(func() {
+	globalMetadataCache.Once.Do(func() {
+		t.logger.Debug("Starting global provider metadata discovery")
 		metadata, err := discoverProviderMetadata(providerURL, t.httpClient, t.logger)
-		if err != nil {
-			t.logger.Errorf("Failed to discover provider metadata: %v", err)
-		} else {
-			t.logger.Debug("Provider metadata discovered successfully")
-			t.jwksURL = metadata.JWKSURL
-			t.authURL = metadata.AuthURL
-			t.tokenURL = metadata.TokenURL
-			t.issuerURL = metadata.Issuer
-			t.revocationURL = metadata.RevokeURL
-		}
-		close(t.initComplete)
+		globalMetadataCache.metadata = metadata
+		globalMetadataCache.err = err
 	})
+
+	if globalMetadataCache.err != nil {
+		t.logger.Errorf("Failed to discover provider metadata: %v", globalMetadataCache.err)
+	} else if globalMetadataCache.metadata != nil {
+		t.logger.Debug("Using cached provider metadata")
+		t.jwksURL = globalMetadataCache.metadata.JWKSURL
+		t.authURL = globalMetadataCache.metadata.AuthURL
+		t.tokenURL = globalMetadataCache.metadata.TokenURL
+		t.issuerURL = globalMetadataCache.metadata.Issuer
+		t.revocationURL = globalMetadataCache.metadata.RevokeURL
+		t.endSessionURL = globalMetadataCache.metadata.EndSessionURL
+	}
+
+	close(t.initComplete)
 }
 
 // discoverProviderMetadata fetches the OIDC provider metadata
@@ -341,92 +359,68 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 			http.Error(rw, "OIDC middleware not yet initialized", http.StatusInternalServerError)
 			return
 		}
-		// Process the request as normal
 	case <-req.Context().Done():
 		t.logger.Debug("Request cancelled")
 		http.Error(rw, "Request cancelled", http.StatusServiceUnavailable)
 		return
 	}
 
-	// Check if the URL is excluded from authentication
+	// Check if URL is excluded
 	if t.determineExcludedURL(req.URL.Path) {
 		t.next.ServeHTTP(rw, req)
 		return
 	}
 
-	// Determine the scheme (http/https) and host
-	t.scheme = t.determineScheme(req)
-	defaultSessionOptions.Secure = t.scheme == "https"
-	host := t.determineHost(req)
-
-	// Build the redirect URL if not already set
-	if t.redirectURL == "" {
-		t.redirectURL = buildFullURL(t.scheme, host, t.redirURLPath)
-		t.logger.Debugf("Redirect URL updated to: %s", t.redirectURL)
-	}
-
-	// Get the session
-	session, err := t.store.Get(req, cookieName)
+	// Get session
+	session, err := t.sessionManager.GetSession(req)
 	if err != nil {
 		t.logger.Errorf("Error getting session: %v", err)
 		http.Error(rw, "Session error", http.StatusInternalServerError)
 		return
 	}
 
-	t.logger.Debugf("Session contents at start: %+v", session.Values)
+	// Build redirect URL
+	scheme := t.determineScheme(req)
+	host := t.determineHost(req)
+	redirectURL := buildFullURL(scheme, host, t.redirURLPath)
 
-	// Handle logout URL
+	// Handle special URLs
 	if req.URL.Path == t.logoutURLPath {
 		t.handleLogout(rw, req)
 		return
 	}
 
-	// Handle callback URL
 	if req.URL.Path == t.redirURLPath {
-		t.handleCallback(rw, req)
+		t.handleCallback(rw, req, redirectURL)
 		return
 	}
 
-	// Check if the user is authenticated
+	// Check authentication status
 	authenticated, needsRefresh, expired := t.isUserAuthenticated(session)
 
 	if expired {
-		t.handleExpiredToken(rw, req, session)
+		t.handleExpiredToken(rw, req, session, redirectURL)
 		return
 	}
 
 	if !authenticated {
-		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
+		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
 		return
 	}
 
 	if needsRefresh {
 		refreshed := t.refreshToken(rw, req, session)
 		if !refreshed {
-			t.handleExpiredToken(rw, req, session)
+			t.handleExpiredToken(rw, req, session, redirectURL)
 			return
 		}
 	}
 
-	// At this point, the user is authenticated
-	idToken, ok := session.Values["id_token"].(string)
-	if !ok || idToken == "" {
-		t.logger.Errorf("No id_token found in session")
-		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
-		return
-	}
-
-	claims, err := extractClaims(idToken)
-	if err != nil {
-		t.logger.Errorf("Failed to extract claims: %v", err)
-		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
-		return
-	}
-
-	email, _ := claims["email"].(string)
+	// Process authenticated request
+	email := session.GetEmail()
 	if email == "" {
-		t.logger.Debugf("No email found in token claims")
-		t.defaultInitiateAuthentication(rw, req, session, t.redirectURL)
+		t.logger.Debug("No email found in session")
+		t.defaultInitiateAuthentication(rw, req, session, redirectURL)
 		return
 	}
 
@@ -436,36 +430,10 @@ func (t *TraefikOidc) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		return
 	}
 
-	groups, roles, err := t.extractGroupsAndRoles(idToken)
-	if err != nil {
-		t.logger.Errorf("Failed to extract groups and roles: %v", err)
-	} else {
-		// Set headers for groups and roles
-		if len(groups) > 0 {
-			req.Header.Set("X-User-Groups", strings.Join(groups, ","))
-		}
-		if len(roles) > 0 {
-			req.Header.Set("X-User-Roles", strings.Join(roles, ","))
-		}
-	}
-
-	if len(t.allowedRolesAndGroups) > 0 {
-		allowed := false
-		for _, roleOrGroup := range append(groups, roles...) {
-			if _, ok := t.allowedRolesAndGroups[roleOrGroup]; ok {
-				allowed = true
-				break
-			}
-		}
-		if !allowed {
-			t.logger.Infof("User with email %s does not have any allowed roles or groups", email)
-			http.Error(rw, fmt.Sprintf("Access denied: You do not have any allowed roles or groups. To log out, visit: %s", t.logoutURLPath), http.StatusForbidden)
-			return
-		}
-	}
-
+	// Set user information in headers
 	req.Header.Set("X-Forwarded-User", email)
 
+	// Process the request
 	t.next.ServeHTTP(rw, req)
 }
 
@@ -504,37 +472,34 @@ func (t *TraefikOidc) determineHost(req *http.Request) string {
 }
 
 // isUserAuthenticated checks if the user is authenticated
-func (t *TraefikOidc) isUserAuthenticated(session *sessions.Session) (bool, bool, bool) {
-	authenticated, _ := session.Values["authenticated"].(bool)
-	t.logger.Debugf("Session authenticated value: %v", authenticated)
-
-	if !authenticated {
+func (t *TraefikOidc) isUserAuthenticated(session *SessionData) (bool, bool, bool) {
+	if !session.GetAuthenticated() {
 		t.logger.Debug("User is not authenticated according to session")
 		return false, false, false
 	}
 
-	idToken, ok := session.Values["id_token"].(string)
-	if !ok || idToken == "" {
-		t.logger.Debug("No id_token found in session")
+	accessToken := session.GetAccessToken()
+	if accessToken == "" {
+		t.logger.Debug("No access token found in session")
 		return false, false, true // Session is invalid, consider it expired
 	}
 
 	// Verify the token
-	if err := t.verifyToken(idToken); err != nil {
+	if err := t.verifyToken(accessToken); err != nil {
 		t.logger.Errorf("Token verification failed: %v", err)
 		return false, false, true // Token is invalid, consider it expired
 	}
 
-	claims, err := extractClaims(idToken)
+	claims, err := extractClaims(accessToken)
 	if err != nil {
 		t.logger.Errorf("Failed to extract claims: %v", err)
-		return false, false, true // Can't read claims, consider it expired
+		return false, false, true
 	}
 
 	expClaim, ok := claims["exp"].(float64)
 	if !ok {
-		t.logger.Errorf("Failed to get expiration time from claims")
-		return false, false, true // No expiration, consider it expired
+		t.logger.Error("Failed to get expiration time from claims")
+		return false, false, true
 	}
 
 	now := time.Now().Unix()
@@ -542,7 +507,7 @@ func (t *TraefikOidc) isUserAuthenticated(session *sessions.Session) (bool, bool
 
 	if now > expTime {
 		t.logger.Debug("Token has expired")
-		return false, false, true // Token has expired
+		return false, false, true
 	}
 
 	gracePeriod := time.Minute * 5
@@ -551,26 +516,23 @@ func (t *TraefikOidc) isUserAuthenticated(session *sessions.Session) (bool, bool
 		return true, true, false // Token will expire soon, needs refresh
 	}
 
-	return true, false, false // Token is valid and not expiring soon
+	return true, false, false
 }
 
 // defaultInitiateAuthentication initiates the authentication process
-func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req *http.Request, session *sessions.Session, redirectURL string) {
-	// Generate CSRF token
+func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
+	// Generate CSRF token and nonce
 	csrfToken := uuid.New().String()
-	session.Values["csrf"] = csrfToken
-	session.Values["incoming_path"] = req.URL.Path
-	session.Options = defaultSessionOptions
-	t.logger.Debugf("Setting CSRF token: %s", csrfToken)
-
-	// Generate nonce
 	nonce, err := generateNonce()
 	if err != nil {
 		http.Error(rw, "Failed to generate nonce", http.StatusInternalServerError)
 		return
 	}
-	session.Values["nonce"] = nonce
-	t.logger.Debugf("Setting nonce: %s", nonce)
+
+	// Set session values
+	session.SetCSRF(csrfToken)
+	session.SetNonce(nonce)
+	session.SetIncomingPath(req.URL.Path)
 
 	// Save the session
 	if err := session.Save(req, rw); err != nil {
@@ -579,7 +541,7 @@ func (t *TraefikOidc) defaultInitiateAuthentication(rw http.ResponseWriter, req
 		return
 	}
 
-	// Build the authentication URL
+	// Build and redirect to auth URL
 	authURL := t.buildAuthURL(redirectURL, csrfToken, nonce)
 	http.Redirect(rw, req, authURL, http.StatusFound)
 }
@@ -620,14 +582,9 @@ func (t *TraefikOidc) RevokeToken(token string) {
 	// Remove from cache
 	t.tokenCache.Delete(token)
 
-	// Add to blacklist
-	claims, err := extractClaims(token)
-	if err == nil {
-		if exp, ok := claims["exp"].(float64); ok {
-			expTime := time.Unix(int64(exp), 0)
-			t.tokenBlacklist.Add(token, expTime)
-		}
-	}
+	// Add to blacklist with default expiration
+	expiry := time.Now().Add(24 * time.Hour) // or other appropriate duration
+	t.tokenBlacklist.Add(token, expiry)
 }
 
 // RevokeTokenWithProvider revokes the token with the provider
@@ -668,10 +625,10 @@ func (t *TraefikOidc) RevokeTokenWithProvider(token, tokenType string) error {
 }
 
 // refreshToken refreshes the user's token
-func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, session *sessions.Session) bool {
+func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, session *SessionData) bool {
 	t.logger.Debug("Refreshing token")
-	refreshToken, ok := session.Values["refresh_token"].(string)
-	if !ok || refreshToken == "" {
+	refreshToken := session.GetRefreshToken()
+	if refreshToken == "" {
 		t.logger.Debug("No refresh token found in session")
 		return false
 	}
@@ -682,16 +639,17 @@ func (t *TraefikOidc) refreshToken(rw http.ResponseWriter, req *http.Request, se
 		return false
 	}
 
-	// Verify the new id_token
+	// Verify the new access token
 	if err := t.verifyToken(newToken.IDToken); err != nil {
-		t.logger.Errorf("Failed to verify new id_token: %v", err)
+		t.logger.Errorf("Failed to verify new access token: %v", err)
 		return false
 	}
 
 	// Update session with new tokens
-	session.Values["id_token"] = newToken.IDToken
-	session.Values["refresh_token"] = newToken.RefreshToken
-	session.Options = defaultSessionOptions
+	session.SetAccessToken(newToken.IDToken)
+	session.SetRefreshToken(newToken.RefreshToken)
+
+	// Save the session
 	if err := session.Save(req, rw); err != nil {
 		t.logger.Errorf("Failed to save refreshed session: %v", err)
 		return false
@@ -726,29 +684,48 @@ func (t *TraefikOidc) extractGroupsAndRoles(idToken string) ([]string, []string,
 	var groups []string
 	var roles []string
 
-	// Check for groups claim
-	if groupsClaim, ok := claims["groups"]; ok {
-		if groupsSlice, ok := groupsClaim.([]interface{}); ok {
-			for _, group := range groupsSlice {
-				if groupStr, ok := group.(string); ok {
-					t.logger.Debugf("Found group: %s", groupStr)
-					groups = append(groups, groupStr)
-				}
+	// Extract groups with type checking
+	if groupsClaim, exists := claims["groups"]; exists {
+		groupsSlice, ok := groupsClaim.([]interface{})
+		if !ok {
+			return nil, nil, fmt.Errorf("groups claim is not an array")
+		}
+		for _, group := range groupsSlice {
+			if groupStr, ok := group.(string); ok {
+				t.logger.Debugf("Found group: %s", groupStr)
+				groups = append(groups, groupStr)
 			}
 		}
 	}
 
-	// Check for roles claim
-	if rolesClaim, ok := claims["roles"]; ok {
-		if rolesSlice, ok := rolesClaim.([]interface{}); ok {
-			for _, role := range rolesSlice {
-				if roleStr, ok := role.(string); ok {
-					t.logger.Debugf("Found role: %s", roleStr)
-					roles = append(roles, roleStr)
-				}
+	// Extract roles with type checking
+	if rolesClaim, exists := claims["roles"]; exists {
+		rolesSlice, ok := rolesClaim.([]interface{})
+		if !ok {
+			return nil, nil, fmt.Errorf("roles claim is not an array")
+		}
+		for _, role := range rolesSlice {
+			if roleStr, ok := role.(string); ok {
+				t.logger.Debugf("Found role: %s", roleStr)
+				roles = append(roles, roleStr)
 			}
 		}
 	}
 
 	return groups, roles, nil
 }
+
+// buildFullURL constructs a full URL from scheme, host and path
+func buildFullURL(scheme, host, path string) string {
+	// If the path is already a full URL, return it as-is
+	if strings.HasPrefix(path, "http://") || strings.HasPrefix(path, "https://") {
+		return path
+	}
+
+	// Ensure the path starts with a forward slash
+	if !strings.HasPrefix(path, "/") {
+		path = "/" + path
+	}
+
+	return fmt.Sprintf("%s://%s%s", scheme, host, path)
+}

main_test.go

@@ -22,13 +22,14 @@ import (
 
 // TestSuite holds common test data and setup
 type TestSuite struct {
-	t             *testing.T
-	rsaPrivateKey *rsa.PrivateKey
-	rsaPublicKey  *rsa.PublicKey
-	ecPrivateKey  *ecdsa.PrivateKey
-	tOidc         *TraefikOidc
-	mockJWKCache  *MockJWKCache
-	token         string
+	t              *testing.T
+	rsaPrivateKey  *rsa.PrivateKey
+	rsaPublicKey   *rsa.PublicKey
+	ecPrivateKey   *ecdsa.PrivateKey
+	tOidc          *TraefikOidc
+	mockJWKCache   *MockJWKCache
+	token          string
+	sessionManager *SessionManager
 }
 
 // Setup initializes the test suite
@@ -78,6 +79,9 @@ func (ts *TestSuite) Setup() {
 		ts.t.Fatalf("Failed to create test JWT: %v", err)
 	}
 
+	logger := NewLogger("info")
+	ts.sessionManager = NewSessionManager("test-secret-key", false, logger)
+
 	// Common TraefikOidc instance
 	ts.tOidc = &TraefikOidc{
 		issuerURL:          "https://test-issuer.com",
@@ -89,13 +93,13 @@ func (ts *TestSuite) Setup() {
 		limiter:            rate.NewLimiter(rate.Every(time.Second), 10),
 		tokenBlacklist:     NewTokenBlacklist(),
 		tokenCache:         NewTokenCache(),
-		logger:             NewLogger("info"),
-		store:              sessions.NewCookieStore([]byte("test-secret-key")),
+		logger:             logger,
 		allowedUserDomains: map[string]struct{}{"example.com": {}},
 		excludedURLs:       map[string]struct{}{"/favicon": {}},
 		httpClient:         &http.Client{},
 		extractClaimsFunc:  extractClaims,
 		initComplete:       make(chan struct{}),
+		sessionManager:     ts.sessionManager,
 	}
 	close(ts.tOidc.initComplete)
 	ts.tOidc.exchangeCodeForTokenFunc = ts.exchangeCodeForTokenFunc
@@ -104,7 +108,7 @@ func (ts *TestSuite) Setup() {
 }
 
 // Helper functions used by TraefikOidc
-func (ts *TestSuite) exchangeCodeForTokenFunc(code string) (*TokenResponse, error) {
+func (ts *TestSuite) exchangeCodeForTokenFunc(code string, redirectURL string) (*TokenResponse, error) {
 	return &TokenResponse{
 		IDToken:      ts.token,
 		RefreshToken: "test-refresh-token",
@@ -257,6 +261,7 @@ func TestServeHTTP(t *testing.T) {
 		sessionValues  map[interface{}]interface{}
 		expectedStatus int
 		expectedBody   string
+		setupSession   func(*SessionData)
 	}{
 		{
 			name:           "Excluded URL",
@@ -272,10 +277,10 @@ func TestServeHTTP(t *testing.T) {
 		{
 			name:        "Authenticated request to protected URL",
 			requestPath: "/protected",
-			sessionValues: map[interface{}]interface{}{
-				"authenticated": true,
-				"email":         "user@example.com",
-				"id_token":      ts.token,
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetEmail("user@example.com")
+				session.SetAccessToken(ts.token)
 			},
 			expectedStatus: http.StatusOK,
 			expectedBody:   "OK",
@@ -283,52 +288,52 @@ func TestServeHTTP(t *testing.T) {
 		{
 			name:        "Logout URL",
 			requestPath: "/logout",
-			sessionValues: map[interface{}]interface{}{
-				"authenticated": true,
-				"email":         "user@example.com",
-				"id_token":      ts.token,
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetEmail("user@example.com")
+				session.SetAccessToken(ts.token)
 			},
 			expectedStatus: http.StatusOK,
-			expectedBody:   "Logged out\n",
+			expectedBody:   "",
 		},
 	}
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
-			// Create a request
 			req := httptest.NewRequest("GET", tc.requestPath, nil)
 			req.Header.Set("X-Forwarded-Proto", "http")
 			req.Header.Set("X-Forwarded-Host", "localhost")
-
-			// Create a temporary response recorder to save the session
-			rrSession := httptest.NewRecorder()
-
-			// Create a session
-			session, _ := ts.tOidc.store.New(req, cookieName)
-			if tc.sessionValues != nil {
-				for k, v := range tc.sessionValues {
-					session.Values[k] = v
-				}
-				session.Save(req, rrSession)
-			}
-
-			// Copy session cookie from rrSession to request
-			for _, cookie := range rrSession.Result().Cookies() {
-				req.AddCookie(cookie)
-			}
-
-			// Create a response recorder for ServeHTTP
 			rr := httptest.NewRecorder()
 
+			// Setup session if needed
+			session, err := ts.tOidc.sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
+			if tc.setupSession != nil {
+				tc.setupSession(session)
+				if err := session.Save(req, rr); err != nil {
+					t.Fatalf("Failed to save session: %v", err)
+				}
+
+				// Copy cookies to the new request
+				for _, cookie := range rr.Result().Cookies() {
+					req.AddCookie(cookie)
+				}
+				rr = httptest.NewRecorder()
+			}
+
 			// Call ServeHTTP
 			ts.tOidc.ServeHTTP(rr, req)
 
-			// Check the response
+			// Check response
 			if rr.Code != tc.expectedStatus {
-				t.Errorf("Test %s: expected status %d, got %d", tc.name, tc.expectedStatus, rr.Code)
+				t.Errorf("Expected status %d, got %d", tc.expectedStatus, rr.Code)
 			}
-			if tc.expectedBody != "" && strings.TrimSpace(rr.Body.String()) != strings.TrimSpace(rr.Body.String()) {
-				t.Errorf("Test %s: expected body '%s', got '%s'", tc.name, tc.expectedBody, rr.Body.String())
+			if tc.expectedBody != "" {
+				if body := strings.TrimSpace(rr.Body.String()); body != tc.expectedBody {
+					t.Errorf("Expected body %q, got %q", tc.expectedBody, body)
+				}
 			}
 		})
 	}
@@ -452,18 +457,20 @@ func TestHandleCallback(t *testing.T) {
 	ts := &TestSuite{t: t}
 	ts.Setup()
 
+	redirectURL := "http://example.com/"
+
 	tests := []struct {
 		name                 string
 		queryParams          string
-		exchangeCodeForToken func(code string) (*TokenResponse, error)
+		exchangeCodeForToken func(code string, redirectURL string) (*TokenResponse, error)
 		extractClaimsFunc    func(tokenString string) (map[string]interface{}, error)
-		sessionSetupFunc     func(session *sessions.Session)
+		sessionSetupFunc     func(*SessionData)
 		expectedStatus       int
 	}{
 		{
 			name:        "Success",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -475,49 +482,49 @@ func TestHandleCallback(t *testing.T) {
 					"nonce": "test-nonce",
 				}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusFound,
 		},
 		{
 			name:        "Missing Code",
 			queryParams: "",
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusBadRequest,
 		},
 		{
 			name:        "Exchange Code Error",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return nil, fmt.Errorf("exchange code error")
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusInternalServerError,
 		},
 		{
 			name:        "Missing ID Token",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusInternalServerError,
 		},
 		{
 			name:        "Disallowed Email",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -529,16 +536,16 @@ func TestHandleCallback(t *testing.T) {
 					"nonce": "test-nonce",
 				}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusForbidden,
 		},
 		{
 			name:        "Invalid State Parameter",
 			queryParams: "?code=test-code&state=invalid-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -550,16 +557,16 @@ func TestHandleCallback(t *testing.T) {
 					"nonce": "test-nonce",
 				}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusBadRequest,
 		},
 		{
 			name:        "Nonce Mismatch",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -571,16 +578,16 @@ func TestHandleCallback(t *testing.T) {
 					"nonce": "invalid-nonce",
 				}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusInternalServerError,
 		},
 		{
 			name:        "Missing Nonce in Claims",
 			queryParams: "?code=test-code&state=test-csrf-token",
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				return &TokenResponse{
 					IDToken:      ts.token,
 					RefreshToken: "test-refresh-token",
@@ -592,9 +599,9 @@ func TestHandleCallback(t *testing.T) {
 					// Missing nonce
 				}, nil
 			},
-			sessionSetupFunc: func(session *sessions.Session) {
-				session.Values["csrf"] = "test-csrf-token"
-				session.Values["nonce"] = "test-nonce"
+			sessionSetupFunc: func(session *SessionData) {
+				session.SetCSRF("test-csrf-token")
+				session.SetNonce("test-nonce")
 			},
 			expectedStatus: http.StatusInternalServerError,
 		},
@@ -602,15 +609,18 @@ func TestHandleCallback(t *testing.T) {
 
 	for _, tc := range tests {
 		t.Run(tc.name, func(t *testing.T) {
+			logger := NewLogger("info")
+			sessionManager := NewSessionManager("test-secret-key", false, logger)
+
 			// Create a new instance for each test to avoid state carryover
 			tOidc := &TraefikOidc{
-				store:                    sessions.NewCookieStore([]byte("test-secret-key")),
 				allowedUserDomains:       map[string]struct{}{"example.com": {}},
-				logger:                   NewLogger("info"),
+				logger:                   logger,
 				exchangeCodeForTokenFunc: tc.exchangeCodeForToken,
 				extractClaimsFunc:        tc.extractClaimsFunc,
 				tokenVerifier:            ts.tOidc.tokenVerifier,
 				jwtVerifier:              ts.tOidc.jwtVerifier,
+				sessionManager:           sessionManager,
 			}
 
 			// Create request and response recorder
@@ -618,22 +628,27 @@ func TestHandleCallback(t *testing.T) {
 			rr := httptest.NewRecorder()
 
 			// Create session
-			session, _ := tOidc.store.New(req, cookieName)
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
 			if tc.sessionSetupFunc != nil {
 				tc.sessionSetupFunc(session)
 			}
-			session.Save(req, rr)
+			if err := session.Save(req, rr); err != nil {
+				t.Fatalf("Failed to save session: %v", err)
+			}
 
-			// Copy session cookie to request
+			// Copy cookies to the new request
 			for _, cookie := range rr.Result().Cookies() {
 				req.AddCookie(cookie)
 			}
 
-			// Reset rr for the actual test
+			// Reset response recorder for the actual test
 			rr = httptest.NewRecorder()
 
 			// Call handleCallback
-			tOidc.handleCallback(rr, req)
+			tOidc.handleCallback(rr, req, redirectURL)
 
 			// Check response
 			if rr.Code != tc.expectedStatus {
@@ -688,7 +703,7 @@ func TestOIDCHandler(t *testing.T) {
 	tests := []struct {
 		name                 string
 		queryParams          string
-		exchangeCodeForToken func(code string) (*TokenResponse, error)
+		exchangeCodeForToken func(code string, redirectURL string) (*TokenResponse, error)
 		extractClaimsFunc    func(tokenString string) (map[string]interface{}, error)
 		sessionSetupFunc     func(session *sessions.Session)
 		expectedStatus       int
@@ -704,7 +719,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -728,7 +743,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -751,7 +766,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -775,7 +790,7 @@ func TestOIDCHandler(t *testing.T) {
 				session.Values["csrf"] = "test-csrf-token"
 				session.Values["nonce"] = "test-nonce"
 			},
-			exchangeCodeForToken: func(code string) (*TokenResponse, error) {
+			exchangeCodeForToken: func(code string, redirectURL string) (*TokenResponse, error) {
 				// Simulate token exchange
 				return &TokenResponse{
 					IDToken:      ts.token,
@@ -820,3 +835,522 @@ func TestOIDCHandler(t *testing.T) {
 		})
 	}
 }
+
+// TestHandleLogout tests the logout functionality
+func TestHandleLogout(t *testing.T) {
+	ts := &TestSuite{t: t}
+	ts.Setup()
+
+	// Create mock revocation endpoint server
+	mockRevocationServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method != "POST" {
+			t.Errorf("Expected POST request, got %s", r.Method)
+		}
+		if err := r.ParseForm(); err != nil {
+			t.Fatalf("Failed to parse form: %v", err)
+		}
+		// Verify the required parameters are present
+		if r.Form.Get("token") == "" {
+			t.Error("Missing token parameter")
+		}
+		if r.Form.Get("token_type_hint") == "" {
+			t.Error("Missing token_type_hint parameter")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+	defer mockRevocationServer.Close()
+
+	tests := []struct {
+		name           string
+		setupSession   func(*SessionData)
+		endSessionURL  string
+		expectedStatus int
+		expectedURL    string
+		host           string
+	}{
+		{
+			name: "Successful logout with end session endpoint",
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetAccessToken("test.id.token")
+				session.SetRefreshToken("test-refresh-token")
+			},
+			endSessionURL:  "https://provider/end-session",
+			expectedStatus: http.StatusFound,
+			expectedURL:    "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
+			host:           "test-host",
+		},
+		{
+			name: "Successful logout without end session endpoint",
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetAccessToken("test.id.token")
+				session.SetRefreshToken("test-refresh-token")
+			},
+			endSessionURL:  "",
+			expectedStatus: http.StatusFound,
+			expectedURL:    "http://example.com/",
+			host:           "test-host",
+		},
+		{
+			name:           "Logout with empty session",
+			setupSession:   func(session *SessionData) {},
+			expectedStatus: http.StatusFound,
+			expectedURL:    "http://example.com/",
+			host:           "test-host",
+		},
+		{
+			name: "Logout with invalid end session URL",
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetAccessToken("test.id.token")
+				session.SetRefreshToken("test-refresh-token")
+			},
+			endSessionURL:  ":\\invalid-url",
+			expectedStatus: http.StatusInternalServerError,
+			host:           "test-host",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			logger := NewLogger("info")
+			sessionManager := NewSessionManager("test-secret-key", false, logger)
+			tOidc := &TraefikOidc{
+				revocationURL:  mockRevocationServer.URL,
+				endSessionURL:  tc.endSessionURL,
+				scheme:         "http",
+				logger:         logger,
+				tokenBlacklist: NewTokenBlacklist(),
+				httpClient:     &http.Client{},
+				clientID:       "test-client-id",
+				clientSecret:   "test-client-secret",
+				tokenCache:     NewTokenCache(),
+				forceHTTPS:     false,
+				sessionManager: sessionManager,
+			}
+
+			// Create request with proper headers
+			req := httptest.NewRequest("GET", "/logout", nil)
+			req.Header.Set("Host", tc.host)
+
+			// Create a response recorder
+			rr := httptest.NewRecorder()
+
+			// Get a session
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
+			if tc.setupSession != nil {
+				tc.setupSession(session)
+			}
+			if err := session.Save(req, rr); err != nil {
+				t.Fatalf("Failed to save session: %v", err)
+			}
+
+			// Copy cookies to the new request
+			for _, cookie := range rr.Result().Cookies() {
+				req.AddCookie(cookie)
+			}
+
+			// Reset response recorder
+			rr = httptest.NewRecorder()
+
+			// Handle logout
+			tOidc.handleLogout(rr, req)
+
+			// Check response
+			if rr.Code != tc.expectedStatus {
+				t.Errorf("Expected status %d, got %d", tc.expectedStatus, rr.Code)
+			}
+
+			if tc.expectedURL != "" {
+				location := rr.Header().Get("Location")
+				if location != tc.expectedURL {
+					t.Errorf("Expected redirect to %q, got %q", tc.expectedURL, location)
+				}
+			}
+
+			// Verify session is cleared
+			updatedSession, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get updated session: %v", err)
+			}
+
+			// Verify tokens are cleared
+			if token := updatedSession.GetAccessToken(); token != "" {
+				t.Error("Access token not cleared")
+			}
+			if token := updatedSession.GetRefreshToken(); token != "" {
+				t.Error("Refresh token not cleared")
+			}
+			if updatedSession.GetAuthenticated() {
+				t.Error("Session still marked as authenticated")
+			}
+
+			// Check token blacklist
+			if token := session.GetAccessToken(); token != "" {
+				if !tOidc.tokenBlacklist.IsBlacklisted(token) {
+					t.Error("Access token was not blacklisted")
+				}
+			}
+			if token := session.GetRefreshToken(); token != "" {
+				if !tOidc.tokenBlacklist.IsBlacklisted(token) {
+					t.Error("Refresh token was not blacklisted")
+				}
+			}
+		})
+	}
+}
+
+// TestRevokeTokenWithProvider tests the token revocation with provider
+func TestRevokeTokenWithProvider(t *testing.T) {
+	ts := &TestSuite{t: t}
+	ts.Setup()
+
+	tests := []struct {
+		name        string
+		token       string
+		tokenType   string
+		statusCode  int
+		expectError bool
+	}{
+		{
+			name:        "Successful token revocation",
+			token:       "valid-token",
+			tokenType:   "refresh_token",
+			statusCode:  http.StatusOK,
+			expectError: false,
+		},
+		{
+			name:        "Failed token revocation",
+			token:       "invalid-token",
+			tokenType:   "refresh_token",
+			statusCode:  http.StatusBadRequest,
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create test server
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				// Verify request method and content type
+				if r.Method != "POST" {
+					t.Errorf("Expected POST request, got %s", r.Method)
+				}
+				if ct := r.Header.Get("Content-Type"); ct != "application/x-www-form-urlencoded" {
+					t.Errorf("Expected Content-Type application/x-www-form-urlencoded, got %s", ct)
+				}
+
+				// Verify form values
+				if err := r.ParseForm(); err != nil {
+					t.Fatalf("Failed to parse form: %v", err)
+				}
+				if got := r.Form.Get("token"); got != tc.token {
+					t.Errorf("Expected token %s, got %s", tc.token, got)
+				}
+				if got := r.Form.Get("token_type_hint"); got != tc.tokenType {
+					t.Errorf("Expected token_type_hint %s, got %s", tc.tokenType, got)
+				}
+				if got := r.Form.Get("client_id"); got != ts.tOidc.clientID {
+					t.Errorf("Expected client_id %s, got %s", ts.tOidc.clientID, got)
+				}
+				if got := r.Form.Get("client_secret"); got != ts.tOidc.clientSecret {
+					t.Errorf("Expected client_secret %s, got %s", ts.tOidc.clientSecret, got)
+				}
+
+				w.WriteHeader(tc.statusCode)
+			}))
+			defer server.Close()
+
+			// Set revocation URL to test server
+			ts.tOidc.revocationURL = server.URL
+
+			// Test token revocation
+			err := ts.tOidc.RevokeTokenWithProvider(tc.token, tc.tokenType)
+			if tc.expectError && err == nil {
+				t.Error("Expected error but got nil")
+			}
+			if !tc.expectError && err != nil {
+				t.Errorf("Unexpected error: %v", err)
+			}
+		})
+	}
+}
+
+// TestRevokeToken tests the token revocation functionality
+func TestRevokeToken(t *testing.T) {
+	ts := &TestSuite{t: t}
+	ts.Setup()
+
+	token := "test.token.with.claims"
+	claims := map[string]interface{}{
+		"exp": float64(time.Now().Add(time.Hour).Unix()),
+	}
+
+	// Test token revocation
+	t.Run("Token revocation", func(t *testing.T) {
+		// Create a new instance for this specific test
+		tOidc := &TraefikOidc{
+			tokenBlacklist: NewTokenBlacklist(),
+			tokenCache:     NewTokenCache(),
+		}
+
+		// Cache the token
+		tOidc.tokenCache.Set(token, claims, time.Hour)
+
+		// Revoke the token
+		tOidc.RevokeToken(token)
+
+		// Verify token was removed from cache
+		if _, exists := tOidc.tokenCache.Get(token); exists {
+			t.Error("Token was not removed from cache")
+		}
+
+		// Verify token was added to blacklist
+		if !tOidc.tokenBlacklist.IsBlacklisted(token) {
+			t.Error("Token was not added to blacklist")
+		}
+	})
+}
+
+// Add this new test function
+func TestBuildLogoutURL(t *testing.T) {
+	tests := []struct {
+		name               string
+		endSessionURL      string
+		idToken            string
+		postLogoutRedirect string
+		expectedURL        string
+		expectError        bool
+	}{
+		{
+			name:               "Valid URL",
+			endSessionURL:      "https://provider/end-session",
+			idToken:            "test.id.token",
+			postLogoutRedirect: "http://example.com/",
+			expectedURL:        "https://provider/end-session?id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
+			expectError:        false,
+		},
+		{
+			name:               "Invalid URL",
+			endSessionURL:      "://invalid-url",
+			idToken:            "test.id.token",
+			postLogoutRedirect: "http://example.com/",
+			expectError:        true,
+		},
+		{
+			name:               "URL with existing query parameters",
+			endSessionURL:      "https://provider/end-session?existing=param",
+			idToken:            "test.id.token",
+			postLogoutRedirect: "http://example.com/",
+			expectedURL:        "https://provider/end-session?existing=param&id_token_hint=test.id.token&post_logout_redirect_uri=http%3A%2F%2Fexample.com%2F",
+			expectError:        false,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			url, err := BuildLogoutURL(tc.endSessionURL, tc.idToken, tc.postLogoutRedirect)
+
+			if tc.expectError {
+				if err == nil {
+					t.Error("Expected error but got nil")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+				if url != tc.expectedURL {
+					t.Errorf("Expected URL %q, got %q", tc.expectedURL, url)
+				}
+			}
+		})
+	}
+}
+
+// Add this new test function
+func TestHandleExpiredToken(t *testing.T) {
+	ts := &TestSuite{t: t}
+	ts.Setup()
+
+	tests := []struct {
+		name         string
+		setupSession func(*SessionData)
+		expectedPath string
+	}{
+		{
+			name: "Basic expired token",
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetAccessToken("expired.token")
+				session.SetEmail("test@example.com")
+			},
+			expectedPath: "/original/path",
+		},
+		{
+			name: "Session with additional values",
+			setupSession: func(session *SessionData) {
+				session.SetAuthenticated(true)
+				session.SetAccessToken("expired.token")
+				session.mainSession.Values["custom_value"] = "should-be-cleared"
+			},
+			expectedPath: "/another/path",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			logger := NewLogger("info")
+			sessionManager := NewSessionManager("test-secret-key", false, logger)
+
+			tOidc := &TraefikOidc{
+				sessionManager: sessionManager,
+				logger:         logger,
+				tokenVerifier:  ts.tOidc.tokenVerifier,
+				jwtVerifier:    ts.tOidc.jwtVerifier,
+				initComplete:   make(chan struct{}),
+				initiateAuthenticationFunc: func(rw http.ResponseWriter, req *http.Request, session *SessionData, redirectURL string) {
+					http.Redirect(rw, req, "/login", http.StatusFound)
+				},
+			}
+			close(tOidc.initComplete)
+
+			// Create request
+			req := httptest.NewRequest("GET", tc.expectedPath, nil)
+			rr := httptest.NewRecorder()
+
+			// Get session
+			session, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get session: %v", err)
+			}
+
+			// Setup session data
+			tc.setupSession(session)
+
+			// Handle expired token
+			tOidc.handleExpiredToken(rr, req, session, tc.expectedPath)
+
+			// Get the updated session to verify changes
+			updatedSession, err := sessionManager.GetSession(req)
+			if err != nil {
+				t.Fatalf("Failed to get updated session: %v", err)
+			}
+
+			// Verify main session values
+			if updatedSession.GetCSRF() == "" {
+				t.Error("CSRF token not set")
+			}
+			if path := updatedSession.GetIncomingPath(); path != tc.expectedPath {
+				t.Errorf("Expected path %s, got %s", tc.expectedPath, path)
+			}
+			if updatedSession.GetNonce() == "" {
+				t.Error("Nonce not set")
+			}
+
+			// Verify tokens are cleared
+			if token := updatedSession.GetAccessToken(); token != "" {
+				t.Error("Access token not cleared")
+			}
+			if token := updatedSession.GetRefreshToken(); token != "" {
+				t.Error("Refresh token not cleared")
+			}
+
+			// Verify redirect status
+			if rr.Code != http.StatusFound {
+				t.Errorf("Expected status %d, got %d", http.StatusFound, rr.Code)
+			}
+		})
+	}
+}
+
+// Add this new test function
+func TestExtractGroupsAndRoles(t *testing.T) {
+	ts := &TestSuite{t: t}
+	ts.Setup()
+
+	tests := []struct {
+		name         string
+		claims       map[string]interface{}
+		expectGroups []string
+		expectRoles  []string
+		expectError  bool
+	}{
+		{
+			name: "Valid groups and roles",
+			claims: map[string]interface{}{
+				"groups": []interface{}{"group1", "group2"},
+				"roles":  []interface{}{"role1", "role2"},
+			},
+			expectGroups: []string{"group1", "group2"},
+			expectRoles:  []string{"role1", "role2"},
+			expectError:  false,
+		},
+		{
+			name: "Empty groups and roles",
+			claims: map[string]interface{}{
+				"groups": []interface{}{},
+				"roles":  []interface{}{},
+			},
+			expectGroups: []string{},
+			expectRoles:  []string{},
+			expectError:  false,
+		},
+		{
+			name: "Invalid groups format",
+			claims: map[string]interface{}{
+				"groups": "not-an-array",
+				"roles":  []interface{}{"role1"},
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			// Create a test token with the claims
+			token, err := createTestJWT(ts.rsaPrivateKey, "RS256", "test-key-id", tc.claims)
+			if err != nil {
+				t.Fatalf("Failed to create test token: %v", err)
+			}
+
+			groups, roles, err := ts.tOidc.extractGroupsAndRoles(token)
+
+			if tc.expectError {
+				if err == nil {
+					t.Error("Expected error but got nil")
+				}
+			} else {
+				if err != nil {
+					t.Errorf("Unexpected error: %v", err)
+				}
+
+				// Compare groups
+				if !stringSliceEqual(groups, tc.expectGroups) {
+					t.Errorf("Expected groups %v, got %v", tc.expectGroups, groups)
+				}
+
+				// Compare roles
+				if !stringSliceEqual(roles, tc.expectRoles) {
+					t.Errorf("Expected roles %v, got %v", tc.expectRoles, roles)
+				}
+			}
+		})
+	}
+}
+
+// Helper function to compare string slices
+func stringSliceEqual(a, b []string) bool {
+	if len(a) != len(b) {
+		return false
+	}
+	for i := range a {
+		if a[i] != b[i] {
+			return false
+		}
+	}
+	return true
+}

session.go

@@ -0,0 +1,196 @@
+package traefikoidc
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/sessions"
+)
+
+const (
+	mainCookieName     = "_raczylo_oidc"         // Main session cookie
+	accessTokenCookie  = "_raczylo_oidc_access"  // Access token cookie
+	refreshTokenCookie = "_raczylo_oidc_refresh" // Refresh token cookie
+)
+
+// SessionManager handles multiple session cookies
+type SessionManager struct {
+	store      sessions.Store
+	forceHTTPS bool
+	logger     *Logger
+}
+
+// NewSessionManager creates a new session manager
+func NewSessionManager(encryptionKey string, forceHTTPS bool, logger *Logger) *SessionManager {
+	return &SessionManager{
+		store:      sessions.NewCookieStore([]byte(encryptionKey)),
+		forceHTTPS: forceHTTPS,
+		logger:     logger,
+	}
+}
+
+// getSessionOptions returns session options based on scheme
+func (sm *SessionManager) getSessionOptions(isSecure bool) *sessions.Options {
+	return &sessions.Options{
+		HttpOnly: true,
+		Secure:   isSecure || sm.forceHTTPS,
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   ConstSessionTimeout,
+		Path:     "/",
+	}
+}
+
+// GetSession retrieves all session data
+func (sm *SessionManager) GetSession(r *http.Request) (*SessionData, error) {
+	mainSession, err := sm.store.Get(r, mainCookieName)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get main session: %w", err)
+	}
+
+	accessSession, err := sm.store.Get(r, accessTokenCookie)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get access token session: %w", err)
+	}
+
+	refreshSession, err := sm.store.Get(r, refreshTokenCookie)
+	if err != nil {
+		return nil, fmt.Errorf("failed to get refresh token session: %w", err)
+	}
+
+	sessionData := &SessionData{
+		manager:        sm,
+		mainSession:    mainSession,
+		accessSession:  accessSession,
+		refreshSession: refreshSession,
+	}
+
+	return sessionData, nil
+}
+
+// SessionData holds all session information
+type SessionData struct {
+	manager        *SessionManager
+	mainSession    *sessions.Session
+	accessSession  *sessions.Session
+	refreshSession *sessions.Session
+}
+
+// Save saves all session data
+func (sd *SessionData) Save(r *http.Request, w http.ResponseWriter) error {
+	isSecure := strings.HasPrefix(r.URL.Scheme, "https") || sd.manager.forceHTTPS
+
+	// Set options for all sessions
+	sd.mainSession.Options = sd.manager.getSessionOptions(isSecure)
+	sd.accessSession.Options = sd.manager.getSessionOptions(isSecure)
+	sd.refreshSession.Options = sd.manager.getSessionOptions(isSecure)
+
+	if err := sd.mainSession.Save(r, w); err != nil {
+		return fmt.Errorf("failed to save main session: %w", err)
+	}
+	if err := sd.accessSession.Save(r, w); err != nil {
+		return fmt.Errorf("failed to save access token session: %w", err)
+	}
+	if err := sd.refreshSession.Save(r, w); err != nil {
+		return fmt.Errorf("failed to save refresh token session: %w", err)
+	}
+
+	return nil
+}
+
+// Clear clears all session data
+func (sd *SessionData) Clear(r *http.Request, w http.ResponseWriter) error {
+	// Clear and expire all sessions
+	sd.mainSession.Options.MaxAge = -1
+	sd.accessSession.Options.MaxAge = -1
+	sd.refreshSession.Options.MaxAge = -1
+
+	for k := range sd.mainSession.Values {
+		delete(sd.mainSession.Values, k)
+	}
+	for k := range sd.accessSession.Values {
+		delete(sd.accessSession.Values, k)
+	}
+	for k := range sd.refreshSession.Values {
+		delete(sd.refreshSession.Values, k)
+	}
+
+	return sd.Save(r, w)
+}
+
+// GetAuthenticated returns authentication status
+func (sd *SessionData) GetAuthenticated() bool {
+	auth, _ := sd.mainSession.Values["authenticated"].(bool)
+	return auth
+}
+
+// SetAuthenticated sets authentication status
+func (sd *SessionData) SetAuthenticated(value bool) {
+	sd.mainSession.Values["authenticated"] = value
+}
+
+// GetAccessToken returns the access token
+func (sd *SessionData) GetAccessToken() string {
+	token, _ := sd.accessSession.Values["token"].(string)
+	return token
+}
+
+// SetAccessToken sets the access token
+func (sd *SessionData) SetAccessToken(token string) {
+	sd.accessSession.Values["token"] = token
+}
+
+// GetRefreshToken returns the refresh token
+func (sd *SessionData) GetRefreshToken() string {
+	token, _ := sd.refreshSession.Values["token"].(string)
+	return token
+}
+
+// SetRefreshToken sets the refresh token
+func (sd *SessionData) SetRefreshToken(token string) {
+	sd.refreshSession.Values["token"] = token
+}
+
+// GetCSRF returns the CSRF token
+func (sd *SessionData) GetCSRF() string {
+	csrf, _ := sd.mainSession.Values["csrf"].(string)
+	return csrf
+}
+
+// SetCSRF sets the CSRF token
+func (sd *SessionData) SetCSRF(token string) {
+	sd.mainSession.Values["csrf"] = token
+}
+
+// GetNonce returns the nonce
+func (sd *SessionData) GetNonce() string {
+	nonce, _ := sd.mainSession.Values["nonce"].(string)
+	return nonce
+}
+
+// SetNonce sets the nonce
+func (sd *SessionData) SetNonce(nonce string) {
+	sd.mainSession.Values["nonce"] = nonce
+}
+
+// GetEmail returns the user's email
+func (sd *SessionData) GetEmail() string {
+	email, _ := sd.mainSession.Values["email"].(string)
+	return email
+}
+
+// SetEmail sets the user's email
+func (sd *SessionData) SetEmail(email string) {
+	sd.mainSession.Values["email"] = email
+}
+
+// GetIncomingPath returns the original incoming path
+func (sd *SessionData) GetIncomingPath() string {
+	path, _ := sd.mainSession.Values["incoming_path"].(string)
+	return path
+}
+
+// SetIncomingPath sets the original incoming path
+func (sd *SessionData) SetIncomingPath(path string) {
+	sd.mainSession.Values["incoming_path"] = path
+}

session_test.go

@@ -0,0 +1,60 @@
+package traefikoidc
+
+import (
+	"net/http/httptest"
+	"testing"
+)
+
+func TestSessionManager(t *testing.T) {
+	logger := NewLogger("info")
+	manager := NewSessionManager("test-secret-key", false, logger)
+
+	req := httptest.NewRequest("GET", "/test", nil)
+	rr := httptest.NewRecorder()
+
+	session, err := manager.GetSession(req)
+	if err != nil {
+		t.Fatalf("Failed to get session: %v", err)
+	}
+
+	// Test setting and getting values
+	session.SetAuthenticated(true)
+	session.SetEmail("test@example.com")
+	session.SetAccessToken("test.access.token")
+	session.SetRefreshToken("test.refresh.token")
+
+	if err := session.Save(req, rr); err != nil {
+		t.Fatalf("Failed to save session: %v", err)
+	}
+
+	// Verify cookies are set
+	cookies := rr.Result().Cookies()
+	if len(cookies) != 3 {
+		t.Errorf("Expected 3 cookies, got %d", len(cookies))
+	}
+
+	// Create a new request with the cookies
+	newReq := httptest.NewRequest("GET", "/test", nil)
+	for _, cookie := range cookies {
+		newReq.AddCookie(cookie)
+	}
+
+	// Get the session again and verify values
+	newSession, err := manager.GetSession(newReq)
+	if err != nil {
+		t.Fatalf("Failed to get new session: %v", err)
+	}
+
+	if !newSession.GetAuthenticated() {
+		t.Error("Authentication status not preserved")
+	}
+	if email := newSession.GetEmail(); email != "test@example.com" {
+		t.Errorf("Expected email test@example.com, got %s", email)
+	}
+	if token := newSession.GetAccessToken(); token != "test.access.token" {
+		t.Errorf("Expected access token test.access.token, got %s", token)
+	}
+	if token := newSession.GetRefreshToken(); token != "test.refresh.token" {
+		t.Errorf("Expected refresh token test.refresh.token, got %s", token)
+	}
+}

settings.go

@@ -6,8 +6,6 @@ import (
 	"log"
 	"net/http"
 	"os"
-
-	"github.com/gorilla/sessions"
 )
 
 const (
@@ -30,17 +28,11 @@ type Config struct {
 	ExcludedURLs          []string `json:"excludedURLs"`
 	AllowedUserDomains    []string `json:"allowedUserDomains"`
 	AllowedRolesAndGroups []string `json:"allowedRolesAndGroups"`
+	OIDCEndSessionURL     string   `json:"oidcEndSessionURL"`
+	PostLogoutRedirectURI string   `json:"postLogoutRedirectURI"`
 	HTTPClient            *http.Client
 }
 
-var defaultSessionOptions = &sessions.Options{
-	HttpOnly: true,
-	Secure:   false,
-	SameSite: http.SameSiteLaxMode,
-	MaxAge:   ConstSessionTimeout,
-	Path:     "/",
-}
-
 // CreateConfig creates a new Config with default values
 func CreateConfig() *Config {
 	c := &Config{}

vendor/github.com/gorilla/sessions/LICENSE

@@ -1,4 +1,4 @@
-Copyright (c) 2024 The Gorilla Authors. All rights reserved.
+Copyright (c) 2023 The Gorilla Authors. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
 modification, are permitted provided that the following conditions are

vendor/github.com/gorilla/sessions/README.md

@@ -1,7 +1,4 @@
-# Gorilla Sessions
-
-> [!IMPORTANT]
-> The latest version of this repository requires go 1.23 because of the new partitioned attribute. The last version that is compatible with older versions of go is v1.3.0.
+# sessions
 
 ![testing](https://github.com/gorilla/sessions/actions/workflows/test.yml/badge.svg)
 [![codecov](https://codecov.io/github/gorilla/sessions/branch/main/graph/badge.svg)](https://codecov.io/github/gorilla/sessions)
@@ -77,7 +74,6 @@ Other implementations of the `sessions.Store` interface:
 - [github.com/dsoprea/go-appengine-sessioncascade](https://github.com/dsoprea/go-appengine-sessioncascade) - Memcache/Datastore/Context in AppEngine
 - [github.com/kidstuff/mongostore](https://github.com/kidstuff/mongostore) - MongoDB
 - [github.com/srinathgs/mysqlstore](https://github.com/srinathgs/mysqlstore) - MySQL
-- [github.com/danielepintore/gorilla-sessions-mysql](https://github.com/danielepintore/gorilla-sessions-mysql) - MySQL
 - [github.com/EnumApps/clustersqlstore](https://github.com/EnumApps/clustersqlstore) - MySQL Cluster
 - [github.com/antonlindstrom/pgstore](https://github.com/antonlindstrom/pgstore) - PostgreSQL
 - [github.com/boj/redistore](https://github.com/boj/redistore) - Redis

vendor/github.com/gorilla/sessions/cookie.go

@@ -1,6 +1,5 @@
-// Copyright 2012 The Gorilla Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+//go:build !go1.11
+// +build !go1.11
 
 package sessions
 
@@ -9,15 +8,13 @@ import "net/http"
 // newCookieFromOptions returns an http.Cookie with the options set.
 func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
 	return &http.Cookie{
-		Name:        name,
-		Value:       value,
-		Path:        options.Path,
-		Domain:      options.Domain,
-		MaxAge:      options.MaxAge,
-		Secure:      options.Secure,
-		HttpOnly:    options.HttpOnly,
-		Partitioned: options.Partitioned,
-		SameSite:    options.SameSite,
+		Name:     name,
+		Value:    value,
+		Path:     options.Path,
+		Domain:   options.Domain,
+		MaxAge:   options.MaxAge,
+		Secure:   options.Secure,
+		HttpOnly: options.HttpOnly,
 	}
 
 }

vendor/github.com/gorilla/sessions/cookie_go111.go

@@ -0,0 +1,21 @@
+//go:build go1.11
+// +build go1.11
+
+package sessions
+
+import "net/http"
+
+// newCookieFromOptions returns an http.Cookie with the options set.
+func newCookieFromOptions(name, value string, options *Options) *http.Cookie {
+	return &http.Cookie{
+		Name:     name,
+		Value:    value,
+		Path:     options.Path,
+		Domain:   options.Domain,
+		MaxAge:   options.MaxAge,
+		Secure:   options.Secure,
+		HttpOnly: options.HttpOnly,
+		SameSite: options.SameSite,
+	}
+
+}

vendor/github.com/gorilla/sessions/options.go

@@ -1,11 +1,8 @@
-// Copyright 2012 The Gorilla Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
+//go:build !go1.11
+// +build !go1.11
 
 package sessions
 
-import "net/http"
-
 // Options stores configuration for a session or session store.
 //
 // Fields are a subset of http.Cookie fields.
@@ -16,9 +13,7 @@ type Options struct {
 	// deleted after the browser session ends.
 	// MaxAge<0 means delete cookie immediately.
 	// MaxAge>0 means Max-Age attribute present and given in seconds.
-	MaxAge      int
-	Secure      bool
-	HttpOnly    bool
-	Partitioned bool
-	SameSite    http.SameSite
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
 }

vendor/github.com/gorilla/sessions/options_go111.go

@@ -0,0 +1,23 @@
+//go:build go1.11
+// +build go1.11
+
+package sessions
+
+import "net/http"
+
+// Options stores configuration for a session or session store.
+//
+// Fields are a subset of http.Cookie fields.
+type Options struct {
+	Path   string
+	Domain string
+	// MaxAge=0 means no Max-Age attribute specified and the cookie will be
+	// deleted after the browser session ends.
+	// MaxAge<0 means delete cookie immediately.
+	// MaxAge>0 means Max-Age attribute present and given in seconds.
+	MaxAge   int
+	Secure   bool
+	HttpOnly bool
+	// Defaults to http.SameSiteDefaultMode
+	SameSite http.SameSite
+}

vendor/modules.txt

@@ -4,8 +4,8 @@ github.com/google/uuid
 # github.com/gorilla/securecookie v1.1.2
 ## explicit; go 1.20
 github.com/gorilla/securecookie
-# github.com/gorilla/sessions v1.4.0
-## explicit; go 1.23
+# github.com/gorilla/sessions v1.3.0
+## explicit; go 1.20
 github.com/gorilla/sessions
 # golang.org/x/time v0.7.0
 ## explicit; go 1.18