Session management in Go is not built into the language or the standard package for web applications. However, there are libraries that simplify this task, such as gorilla/sessions. In this article, we will see how to implement basic session management using this library.
Installing the Library
First, you need to install the gorilla/sessions package:
go get github.com/gorilla/sessionsCreating the Session Handler
The following example shows how to configure and use a session:
package main
import (
"fmt"
"net/http"
"github.com/gorilla/sessions"
)
var store = sessions.NewCookieStore([]byte("super-secret-key"))
func loginHandler(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session-name")
session.Values["authenticated"] = true
session.Save(r, w)
fmt.Fprintln(w, "Logged in")
}
func logoutHandler(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session-name")
session.Values["authenticated"] = false
session.Save(r, w)
fmt.Fprintln(w, "Logged out")
}
func protectedHandler(w http.ResponseWriter, r *http.Request) {
session, _ := store.Get(r, "session-name")
if auth, ok := session.Values["authenticated"].(bool); !ok || !auth {
http.Error(w, "Forbidden", http.StatusForbidden)
return
}
fmt.Fprintln(w, "This is a protected area")
}
func main() {
http.HandleFunc("/login", loginHandler)
http.HandleFunc("/logout", logoutHandler)
http.HandleFunc("/protected", protectedHandler)
http.ListenAndServe(":8080", nil)
}Code Explanation
- store: initialized with a secret key, used to sign the cookies.
- loginHandler: sets the
authenticatedvalue totrue. - logoutHandler: sets the
authenticatedvalue tofalse. - protectedHandler: checks if the user is authenticated.
Security Considerations
It is important to use a strong and unique secret key. In production, consider using alternative session stores, such as Redis or a database, for greater scalability and security.