When using read-only session extractors (query, form, param, custom), the client-provided session ID was silently discarded whenever no session data existed in storage for that ID. A new random ID was generated instead — but never communicated back to the client (these sources are write-only; no Set-Cookie/response header is written). Every request created an orphaned session, making persistent sessions via query parameters impossible.

Root cause

In Store.getSession, the rawData == nil branch unconditionally reset id = "" and called KeyGenerator(). This is correct for cookie/header sources (prevents session fixation) but wrong for read-only sources where the client re-presents the same ID on every request and has no way to discover a server-generated replacement.

Changes introduced

middleware/session/store.go

• getSessionID now returns (string, bool) — the session ID and whether the extraction source is writable (cookie or header). For chained extractors, the function iterates sub-extractors in order so writability is determined by the source that actually matched, not the chain's primary source.
• getSession branches on writableSource when no storage data is found:
  • Writable (cookie, header): discard the unknown ID and regenerate — session fixation protection preserved.
  • Read-only (query, form, param, custom): preserve the client-provided ID, mark the session fresh, and store it under that ID. Subsequent requests with the same ID now load the same session.

A security note is added to the read-only branch explaining the inherent tradeoff.

middleware/session/store_test.go

• Updated Test_Store_getSessionID for the new two-value return; asserts writability per source type.
• Added regression tests covering: query extractor preserves ID on first use; session data round-trips across two requests; chained Cookie→Query still rejects an unknown cookie ID; chained Cookie→Query preserves the query fallback ID when no cookie is present.

Example — now works as documented

app.Use(session.New(session.Config{
    Extractor: extractors.FromQuery("SESSIONID"),
}))

app.Get("/", func(c fiber.Ctx) error {
    sess := session.FromContext(c)
    // sess.ID() now equals c.Query("SESSIONID") on every request
    return c.SendString(sess.ID())
})
// GET /?SESSIONID=353267097  →  353267097  (consistent across requests)

• Benchmarks: No measurable hot-path impact; one extra bool return on the extraction path.
• Documentation Update: No doc changes required; behaviour now matches the existing documentation.
• Changelog/What's New: Bug fix — query/form/param/custom session extractors now correctly persist sessions under the client-provided ID.
• Migration Guide: No breaking changes. Cookie/header extractor behaviour is unchanged.
• API Alignment with Express: N/A.
• API Longevity: Internal function signature change (getSessionID) only; no public API affected.
• Examples: See snippet above.

Type of change

• New feature (non-breaking change which adds functionality)

Checklist

• Followed the inspiration of the Express.js framework for new functionalities, making them similar in usage.
• Conducted a self-review of the code and provided comments for complex or critical parts.
• Updated the documentation in the /docs/ directory for Fiber's documentation.
• Added or updated unit tests to validate the effectiveness of the changes or new features.
• Ensured that new and existing unit tests pass locally with the changes.
• Verified that any new dependencies are essential and have been agreed upon by the maintainers/community.
• Aimed for optimal performance with minimal allocations in the new code.
• Provided benchmarks for the new code to analyze and improve upon.