package module
Version: v0.0.0-...-8d4e740 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 26, 2020 License: MIT Imports: 8 Imported by: 8


Authboss Client State

Session and Cookie ClientStateRW implementations using Gorilla.

Assuming you're using Gorilla in your web application you can easily use this package to augment Gorilla to be used with authboss or use this package's wrappers directly.




This section is empty.


This section is empty.


This section is empty.


type CookieState

type CookieState map[string]string

CookieState is an authboss.ClientState implementation to hold cookie state for the duration of the request

func (CookieState) Get

func (c CookieState) Get(key string) (string, bool)

Get a cookie's value

type CookieStorer

type CookieStorer struct {
	Cookies []string

	// Defaults empty
	Domain string
	// Defaults to /
	Path string
	// Defaults to 1 month
	MaxAge int
	// Defaults to true
	HTTPOnly bool
	// Defaults to true
	Secure bool
	// Samesite defaults to 0 or "off"
	SameSite http.SameSite

CookieStorer writes and reads cookies to an underlying gorilla secure cookie storage.

Because it embeds the SecureCookie piece this can be used as the cookie storage for your entire application (rather than only as a stub for authboss).

func NewCookieStorer

func NewCookieStorer(hashKey, blockKey []byte) CookieStorer

NewCookieStorer constructor simply wraps the constructor for securecookie.New. The parameters are the hash key and the block key.

The hash key is required to authenticate the cookie with HMAC (32 or 64 bytes)

The block key is optional to encrypt the cookie value (set to nil to disable encryption) For AES (the default encryption algorithm) 16, 24, or 32 byte keys select AES-128, AES-192, AES-256 respectively.

Ensure you verify the security options for the cookie on the CookieStorer.

This documentation was copied from securecookie.New and is prone to doc-rot. Please consult the documentation there too.

func NewCookieStorerFromExisting

func NewCookieStorerFromExisting(storage *securecookie.SecureCookie) CookieStorer

NewCookieStorerFromExisting takes a preconfigured secure cookie instance and simply uses it.

Ensure you verify the additional security options for the cookie on the CookieStorer. This method creates a cookie storer with the options tuned for high security by default.

func (CookieStorer) ReadState

func (c CookieStorer) ReadState(r *http.Request) (authboss.ClientState, error)

ReadState from the request

func (CookieStorer) WriteState

WriteState to the responsewriter

type SessionState

type SessionState struct {
	// contains filtered or unexported fields

SessionState is an authboss.ClientState implementation that holds the request's session values for the duration of the request.

func (SessionState) Get

func (s SessionState) Get(key string) (string, bool)

Get a key from the session

type SessionStorer

type SessionStorer struct {
	Name string


SessionStorer stores sessions in a gorilla session store. By default it's backed by cookies, but this can be overridden by changing the underlying store manually or using the appropriate constructor.

func NewSessionStorer

func NewSessionStorer(sessionName string, keypairs ...[]byte) SessionStorer

NewSessionStorer creates a new gorilla sessions.CookieStore and uses that for underlying storage.

The sessionName is the name that will be used for the session cookie on the client (one session has many values).

Also it takes pairs of keys (hmac auth, encryption), and if doing key rotation multiple of these pairs. The second key of the pair should be set to nil if encryption isn't desired.

Authentication keys should be 32 or 64 bytes. Encryption keys should be 16, 24, or 32 bytes for AES-128, AES-192, and AES-256 respectively.

This creates the session storer with the most secure options: MaxAge=0, Secure=true, HttpOnly=true. You can change them after it's created by converting the Store or simply create your own sessions.NewCookieStore and set its options manually.

These docs are prone to doc-rot since they're copied from the gorilla session store documentation.

func NewSessionStorerFromExisting

func NewSessionStorerFromExisting(sessionName string, store sessions.Store) SessionStorer

NewSessionStorerFromExisting takes a store object that's already configured and uses it directly. This can be anything that satisfies the interface.

sessionName is the name of the cookie/file/whatever on the client or on the filesystem etc.

func (SessionStorer) ReadState

func (s SessionStorer) ReadState(r *http.Request) (authboss.ClientState, error)

ReadState loads the session from the request context

func (SessionStorer) WriteState

WriteState to the responsewriter

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL