Security News
Oracle Drags Its Feet in the JavaScript Trademark Dispute
Oracle seeks to dismiss fraud claims in the JavaScript trademark dispute, delaying the case and avoiding questions about its right to the name.
By Sarah Gooding - Feb 07, 2025
New Case Study:See how Anthropic automated 95% of dependency reviews with Socket.Learn More →
github.com/rivo/sessions
- Version published
- Created
A Go Package for Cookie-Based Web Sessions
This Go package attempts to free you from the hard work of implementing safe cookie-based web sessions.
Sessions implements a number of OWASP recommendations:
- No data storage on the client
- Automatic session expiry
- Session ID regeneration
- Anomaly detection via IP address and user agent analysis
Additional features:
- Session key/value storage
- Log in/out functions for users
- Various identifier generation functions
- Password strength checks (based on NIST recommendations)
- Lots of configuration options
- Database-agnostic, choose your own backend
- It's not a framework, everything is based on net/http.
- Extensive documentation
If you want to go one step further and have user signup, login, logout, password reset, email/password change implemented for you, check out github.com/rivo/users.
Installation
go get github.com/rivo/sessions
Simple Example
func MyHandler(response http.ResponseWriter, request *http.Request) {
session, err := sessions.Start(response, request, false)
if err != nil {
panic(err)
}
if session != nil {
fmt.Println("We have a session")
} else {
fmt.Println("We have no session")
}
}
(Providing true will always return a session.)
With the session object, you can call:
RegenerateIDto switch the session ID,Set,Get,GetAndDelete, andDeleteto (un-)assign values to keys,LogInandLogOutto attach/detach users,GobEncode,GobDecode,MarshalJSON, andUnmarshalJSONto (un-)serialize sessions,Destroyto end a session.
Configuration Options
SessionCookie: Name of the session cookie.NewSessionCookie: Function for new cookies (used to set cookie parameters).SessionExpiry: Time to expiry for inactive sessions.SessionIDExpiry: Maximum session ID lifetime before automatic regeneration.SessionIDGracePeriod: Extended lifetime for regenerated session IDs.AcceptRemoteIP: Accepted level of change for IP addresses.AcceptChangingUserAgent: Whether or not user agent changes are accepted.MaxSessionCacheSize: Size of local (write-through) session cache.SessionCacheExpiry: Maximum session lifetime in local cache.
Then there is Persistence used to connect to the session store of your choice (defaults to RAM).
Documentation
See http://godoc.org/github.com/rivo/sessions for the documentation.
See also the Wiki for more examples and explanations.
Your Feedback
Add your issue here on GitHub. Feel free to get in touch if you have any questions.
Release Notes
- v0.1 (2017-11-11)
- First release.
FAQs
Unknown package
Package last updated on 01 May 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Linux Foundation Warns Open Source Developers: Compliance with Sanctions Is Not Optional
The Linux Foundation is warning open source developers that compliance with global sanctions is mandatory, highlighting legal risks and restrictions on contributions.
By Sarah Gooding - Feb 06, 2025
Security News
Maven Central Adds Sigstore Signature Validation
Maven Central now validates Sigstore signatures, making it easier for developers to verify the provenance of Java packages.
By Sarah Gooding - Feb 06, 2025