[Review pls] Google based authentication with sessions

64 views
Skip to first unread message

Kai Hendry

unread,
Apr 21, 2019, 4:38:06 AM4/21/19
to Gorilla web toolkit
Hi guys,

https://github.com/kaihendry/internal-google-login/blob/master/main.go#L148 - for example I am not sure ID can be forged. Probably not.


Am I correct in thinking I don't need to be using https://github.com/gorilla/securecookie as sessions uses them?

Any other tips to make my minimal example, more minimal? Destroying the session on logout seemed pretty tricky. As well as logging the sessions values:


Thank you in advance!

Kai Hendry

unread,
Apr 22, 2019, 11:24:40 PM4/22/19
to Gorilla web toolkit
Another more specific question about the API, is it really OK to ignore the error here?

func indexHandler(w http.ResponseWriter, req *http.Request) {
    session, _ := store.Get(req, sessionName)
    logs.Info("index")
    err := views.ExecuteTemplate(w, "index.html", session.Values)
    if err != nil {
        http.Error(w, err.Error(), http.StatusInternalServerError)
        return
    }
}

Do please see the full project here: https://github.com/kaihendry/internal-google-login

Matt S

unread,
Apr 23, 2019, 2:24:32 AM4/23/19
to goril...@googlegroups.com
Hey Kai - 

• You don’t (should not) need to use both sessions & securecookie. sessions is higher level and much easier to use.
• Definitely check the error from store.Get



--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Matt S

unread,
Apr 23, 2019, 2:27:17 AM4/23/19
to goril...@googlegroups.com
Also:

• cookie values can’t be forged. Cookies are authenticated cryptographically (which is also why you should check for the error)
• you can delete the values in session.Values before logging a user out. 

Kai Hendry

unread,
Apr 23, 2019, 8:39:15 AM4/23/19
to goril...@googlegroups.com
On Tue, 23 Apr 2019 at 14:27, Matt S <elit...@gmail.com> wrote:
> • you can delete the values in session.Values before logging a user out.

Oh... Is it worth doing both whilst logging out a user? Struggling to
find a canonical example that does this on Github search.


Am I missing a trick for logging the values?

mapString := make(map[string]string)
// https://stackoverflow.com/a/48226206/4534
for key, value := range session.Values {
strKey := fmt.Sprintf("%v", key)
strValue := fmt.Sprintf("%v", value)
mapString[strKey] = strValue
}
return logs.WithFields(log.Fields{
"auth": mapString,
})

If there are good sources I should read, please point them out!

Kai Hendry

unread,
Apr 26, 2019, 8:15:33 AM4/26/19
to goril...@googlegroups.com
Made a video about what little know about sessions:
https://www.youtube.com/watch?v=JSy9L1LDCVs
Reply all
Reply to author
Forward
0 new messages