Secure web login system (using Web.go)

[nvcnvn]

Can anyone tell me how to make a secure login system in a web app
using GO!?

I'm using web.go (http://www.getwebgo.com/) and tring to creat a small
website (guest book example :D)

But I not sure how to log the user in! :D
################# CODE ###################
package main

import (
"web"
)

var logeg = false;
var username = '';

func mainpage(val string) string {
if(!loged){
html ='
<html>
<head><title>Test</title></head>
<body>
<form method="post" action="/login" enctype="multipart/form-data">
ID:<input type='text" name="id" /><br />
PASS:<input type='text" name="pass" /><br />
<input type="submit" name="submit" value="submit" />
</form>
</body>
</html>
';
}else{
html ='
<html>
<head><title>Test</title></head>
<body>
Hi '+username+'!
</body>
</html>
';
}
return html;
}

func login(ctx *web.Context) string {
//now is some id and pass, in fact maybe I will use SQL of XML to
store it
id1, pass1 := "me", "123";
id2, pass2 := "you", "456";

/*
what should i do next!?
I know I can use Cookies
But is there anything else!?
How can I change "loged" value to true!?
I you can, please show me the best secure way!
*/
}
func main() {
web.Get("/(.*)", mainpage)
web.Post("/login", login)
web.Run("0.0.0.0:9999")
}

##########################################

[Paulo Pinto]

You need to create you own session and map it to each user via
cookies.

[nvcnvn]

@Paulo:So What if the briwser doesnot allow to sset cookies!?

Is there anyone ever do this, can I see any example code !?

Thanks you!

[Paulo Pinto]

Then you need to encode the session id in all urls that you serve back
to the browser.

[mattn]

I've just writen new package "go-session".

https://github.com/mattn/go-session-manager

This is module "http session manager" like Microsoft ASP's session object.

Currently, this module is installed as http/session.

This mean that I'll suggest that we hope to this module as official package.

Maybe, you can use this in web.go.

Anyone, please give me advices. :)

Thanks.

- Yasuhiro Matsumoto 

[Kyle Lemons]

IMHO, this may better live as an addition to web.go (I'm sure he'd
consider a pull request) if it isn't already there. From what I
understand of cookies and PHP's session management strategy, you could
for every visitor immediately send a VISITORID cookie. If, on login
(and in any page with a referer set), you did not get this cookie back
you instead attach a VISITORID or something as a GET parameter to
every in-site URL. On the backend you use some persistent storage
mechanism to link this visitor ID, IP, and (if you are really
adventurous) USER-AGENT together as a key into the session store.

Just my 2c.
~Kyle

[Torben Weis]

Hi,

web.go already has support for secure cookies. Did you look into this implementation?

BTW: MD5 is dead, don't use it for security purposes.

Greetings

Torben

--
---------------------------
Prof. Torben Weis
Universitaet Duisburg-Essen
torbe...@gmail.com

[Karla Tahan]

Where is a web package?

[nvcnvn]

Yes, I have know about Secure cookies, but the issue is it will not
working if the browser doesnot allow cookies!
We can see SESSION in PHP, ASP, Java JSP. So I think I can say SESSION
is the most important part in a dynamic web page!

I the open source in PHP use SESSION in there login system in case you
can not use COOKIES

My favorite language is PHP (I just use PHP to design web - I only
know a bout web-base), and know I tried with GO but it so hard!


@:mattn
I will try your pack now! it so helpfull! Thanks!
http://www.google.com/url?sa=D&q=https://github.com/mattn/go-session-manager

[nvcnvn]

I was tried to email him about SESSION but I not syre that he read it
or not!

I not sure how SESSION was make, but if some one can make a SESSION
pack in the secure way i great!

[Erfan Akbarimanesh]

Go is the best for web programming but Understanding the go is hard for some people 

i can programming with php and golang but my favorite language is golang because it is very powerful

Good Luck

--------------------------------------------------------------------------------------------------------------------
در جمعه 11 فوریهٔ 2011، ساعت 15:29:28 (UTC+3:30)، nvcnvn نوشته:

[Christian Blach]

While the technical level in this thread seems rather low, I will give a few advices to whomever wants to do their own session handler. I do, however, encourage you to read up on go and do some tutorials before doing to do this.

1) Generate your session ids using the crypto.rand to ensure high entropy. Many will be surprised how easy it otherwise is guess a session id.

2) Store your sessions in a map, and remember to use mutex locks when you access it. Also you might want to consider a map that converts session ids to user ids, to for instance limit the number of allowed sessions.

3) Use a go-routine for each session, it's not very expensive and it adds a lot if flexibility for dynamic session lengths. For instance do something like this:

function (session *session_t) keepAlive(){

    for{

   session.RLock()

   sessionExpiredChan := time.After( session.ExpirationTime.Sub(time.Now().UTC()) )

   session.RUnlock()

        select{

            case <- sessionExpiredChan:

                session.RLock()

if time.Now().UTC().After(session.ExpirationTime) {

                                        session.RUnlock()

session.kill()

return

}

                                session.RUnlock()

case <- session.KillThisSession:

session.kill()

return

        }

    }

}

Basically, what this does it to keep the go-routine alive until session.ExpirationTime has passed, or until the user or server wants to kill the session. The loop allows you to extend the current session quite easily by just changing session.ExpirationTime (and if you do so, remember a mutex lock!).

3) COOKIES. Do not be afraid of using session cookies. They are different from other cookies. If you want to have session cookies, just don't set the expiration time. Also, do use cookie.Secure and cookie.HttpOnly. If you cannot use cookie.Secure because you don't use SSL, then... Use SSL! Get yourself a certificate and it up on your server. Otherwise all your other security features are for naught, as your sessions easily could be hijacked.