Integration Testing Flash Messages with Cookie-Based Sessions in Echo

One approach to implemented error and success messages (or “toasts”) in web applications is to use flash messages. Flash messages are stored in the session, displayed on the next request and then removed from the session.

In my case my sessions were stored in a cookie and the application was built with the go Echo web framework.

I had trouble with integration testing these flash messages: in manual browser testing the messages worked as expected but in the integration tests the messages were not rendered. The test service was locally running on HTTP.

My final intuition was that cookie flags were preventing the integration test HTTP client from transmitting the cookie when receiving a redirect. I made the Secure flag configurable on the server, set it to false in my test setup and the flash messages were correctly rendered.

This is how you can configure this in Echo:

cookieStore := sessions.NewCookieStore([]byte(sessionCookieSecretKey))
cookieStore.Options.Secure = controller.Config.SessionCookieSecureFlag
e.Use(session.Middleware(cookieStore))

Strangely enough the browser (Firefox 130 in this case) did transmit the session cookie to the server, despite the Secure flag being set to true and the server not having TLS enabled.

Turns out this is intentional browser behaviour to ease testing and development by treating the localhost context as secure in this case. See the Mozilla bug report where they document this. Chrome has implemented the same behaviour.