gofiber · dogukanoksuz · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
@@ -26,7 +26,7 @@ func New(config ...Config) fiber.Handler {
 			if !isDisabled(keyString, cfg.Except) {
 				decryptedValue, err := cfg.Decryptor(keyString, string(value), cfg.Key)
 				if err != nil {
-					c.Request().Header.DelCookieBytes(key)
+					c.Request().Header.SetCookie(string(key), "")
 				} else {
 					c.Request().Header.SetCookie(string(key), decryptedValue)
 				}

@@ -107,6 +107,38 @@
 	require.ErrorIs(t, err, ErrInvalidEncryptedValue)
 }
 
+func Test_Middleware_Decrypt_Invalid_Cookie_Does_Not_Panic(t *testing.T) {
+	t.Parallel()
+
+	testKey := GenerateKey(32)
+	app := fiber.New()
+
+	app.Use(New(Config{
+		Key: testKey,
+	}))
+
+	app.Get("/", func(c fiber.Ctx) error {
+		return c.SendString("value=" + c.Cookies("test"))
+	})
+
+	// Send a request with an unencrypted/invalid cookie value
+	// This should not panic and should clear the cookie value
+	req := httptest.NewRequest(fiber.MethodGet, "/", http.NoBody)
+	req.AddCookie(&http.Cookie{
+		Name:  "test",
+		Value: "plaintext-unencrypted-value",
+	})
+
+	resp, err := app.Test(req)
+	require.NoError(t, err)
+	require.Equal(t, fiber.StatusOK, resp.StatusCode)
+
+	// The cookie value should be empty since decryption failed
+	body := make([]byte, 64)
+	n, _ := resp.Body.Read(body)
+	require.Equal(t, "value=", string(body[:n]))
+}
+
 func Test_Middleware_EncryptionErrorPropagates(t *testing.T) {
 	t.Parallel()