fix: #8142, broken site if no server-side session (#8148)

* fix: #8142, broken site if no server-side session

During the `addHeader` middleware, a check is now done to see if
`req.session.meta` is present. This value is only present if the user
has a valid server-side session.  If it is missing, then it is probably
safe to assume that the server-side session was deleted (either
intentionally or accidentally). In that scenario, the client-side cookie
should be cleared.

Also, there was an issue where the sessionRefresh flag was never cleared
after a successful login, so that was fixed too.

* feat: exported method to get cookie config

* fix: don't clear cookie if cookie is being set

* fix: socket.io tests

Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>

src/middleware/headers.js

@@ -3,6 +3,7 @@
 var os = require('os');
 var winston = require('winston');
 var _ = require('lodash');
+const nconf = require('nconf');
 
 var meta = require('../meta');
 var languages = require('../languages');
@@ -54,6 +55,11 @@ module.exports = function (middleware) {
 			headers['X-Upstream-Hostname'] = os.hostname();
 		}
 
+		// Validate session
+		if (!req.session.meta && !res.get('Set-Cookie')) {
+			res.clearCookie(nconf.get('sessionKey'), meta.configs.cookie.get());
+		}
+
 		for (var key in headers) {
 			if (headers.hasOwnProperty(key) && headers[key]) {
 				res.setHeader(key, headers[key]);