session

package

v0.5.0 Latest Latest Go to latest Published: Apr 4, 2026 License: MIT Imports: 12 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/arx-go/arx

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func NewID() (string, error)
type Config
- func DefaultConfig() Config
type Manager
- func New(secretKey []byte, store Store, cfg Config) (*Manager, error)
type MemoryStore
- func NewMemoryStore() *MemoryStore
type Session
type Store

Constants ¶

This section is empty.

Variables ¶

View Source

var ErrSessionNotFound = errors.New("session not found")

ErrSessionNotFound is returned by Store.Get when no session exists for the given ID.

Functions ¶

func NewID ¶

func NewID() (string, error)

NewID is the package-level ID generator, exposed for use by Manager.

Types ¶

type Config ¶

type Config struct {
	// CookieName is the name of the session cookie. Default: "arx_session".
	CookieName string
	// MaxAge is how long a session lives before it expires. Default: 24 hours.
	MaxAge time.Duration
	// Secure instructs the browser to send the cookie only over HTTPS.
	// Set to false only in local development. Default: true.
	Secure bool
	// HttpOnly prevents JavaScript from reading the cookie. Always keep this true.
	HttpOnly bool
	// SameSite controls cross-site cookie sending. Default: SameSiteStrictMode.
	SameSite http.SameSite
	// Path is the URL path scope for the cookie. Default: "/".
	Path string
}

Config holds the cookie and session lifetime settings for a Manager. Use DefaultConfig() and override only what you need.

func DefaultConfig ¶

func DefaultConfig() Config

DefaultConfig returns a secure-by-default session configuration.

type Manager ¶

type Manager struct {
	// contains filtered or unexported fields
}

Manager handles session creation, loading, signing, and persistence. Create one with New() and apply its middleware to your app.

func New ¶

func New(secretKey []byte, store Store, cfg Config) (*Manager, error)

New creates a Manager with the given secret key, store, and config. secretKey must be at least 32 bytes — it is used for HMAC-SHA256 session ID signing. Never hardcode this value; load it from an environment variable or secret manager.

func (*Manager) Middleware ¶

func (m *Manager) Middleware() arx.Middleware

Middleware returns an arx.Middleware that loads the session on the way in and saves, rotates, or invalidates it on the way out.

func (*Manager) Sign ¶

func (m *Manager) Sign(id string) string

Sign appends an HMAC-SHA256 signature to the session ID. The cookie value is: id + "." + base64url(HMAC(id))

func (*Manager) Verify ¶

func (m *Manager) Verify(signed string) (string, bool)

Verify checks the HMAC signature and returns the session ID if valid. Uses constant-time comparison to prevent timing attacks.

type MemoryStore ¶

type MemoryStore struct {
	// contains filtered or unexported fields
}

MemoryStore is an in-process session store backed by a map. It is safe for concurrent use. Expired entries are removed lazily on Get. For production use with multiple processes or servers, use a shared store (e.g., Redis).

func NewMemoryStore ¶

func NewMemoryStore() *MemoryStore

NewMemoryStore creates an empty MemoryStore.

func (*MemoryStore) Delete ¶

func (m *MemoryStore) Delete(_ context.Context, id string) error

func (*MemoryStore) Get ¶

func (m *MemoryStore) Get(_ context.Context, id string) (*Session, error)

func (*MemoryStore) Save ¶

func (m *MemoryStore) Save(_ context.Context, s *Session, ttl time.Duration) error

Save persists the session with the given TTL.

type Session ¶

type Session struct {
	// contains filtered or unexported fields
}

Session holds the data for a single user session. The session ID lives in an HMAC-signed cookie; everything else stays server-side.

func FromRequest ¶

func FromRequest(r *http.Request) *Session

FromRequest retrieves the session attached to the current request. Returns nil if the session middleware was not applied.

func MustFromRequest ¶

func MustFromRequest(r *http.Request) *Session

MustFromRequest retrieves the session from the request context. Panics if the session middleware was not applied — use this in handlers where the middleware is always present. Use FromRequest when you need nil-safety.

func NewSession ¶

func NewSession(id string) *Session

NewSession creates a Session with the given ID and an empty value map. Used internally by the Manager when loading or creating sessions.

func (*Session) Delete ¶

func (s *Session) Delete(key string)

Delete removes key from the session and marks it as modified. Deleting a key that does not exist is a no-op.

func (*Session) Get ¶

func (s *Session) Get(key string) (any, bool)

Get returns the value stored under key and whether it was found.

func (*Session) ID ¶

func (s *Session) ID() string

ID returns the current session ID.

func (*Session) Invalidate ¶

func (s *Session) Invalidate()

Invalidate marks the session for deletion. The middleware will delete it from the store and clear the cookie after the handler returns. Use this on logout.

func (*Session) IsInvalidated ¶

func (s *Session) IsInvalidated() bool

IsInvalidated reports whether Invalidate has been called on this session.

func (*Session) IsModified ¶

func (s *Session) IsModified() bool

IsModified reports whether any values have been set or deleted since the session was loaded.

func (*Session) IsRotated ¶

func (s *Session) IsRotated() bool

IsRotated reports whether Rotate has been called on this session.

func (*Session) OldID ¶

func (s *Session) OldID() string

OldID returns the session ID before the last Rotate call. Returns an empty string if the session has not been rotated.

func (*Session) Rotate ¶

func (s *Session) Rotate() error

Rotate generates a new session ID while preserving the existing data. The middleware will delete the old session from the store and save a new one. Use this after login or any privilege escalation to prevent session fixation.

func (*Session) Set ¶

func (s *Session) Set(key string, value any)

Set stores value under key and marks the session as modified.

type Store ¶

type Store interface {
	// Get retrieves the session by ID. Returns ErrSessionNotFound if absent or expired.
	Get(ctx context.Context, id string) (*Session, error)
	// Save persists the session with the given TTL.
	Save(ctx context.Context, s *Session, ttl time.Duration) error
	// Delete removes the session by ID. No-op if it does not exist.
	Delete(ctx context.Context, id string) error
}

Store is the interface a session backend must implement. The default is MemoryStore. Implement this interface to use Redis, Postgres, etc.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL