Sessions using Golang and Redis

In most of the applications/MVP you generally start the implementation with a login/signup feature. With some DB interactions this is quite easy.

But, you don’t want to make user login again and again whenever he opens a new page on your site. You must have noticed on sites like Facebook, Gmail, Twitter — you don’t have to do a login again, rather you are somehow authenticated and you can see the desired home page.

This automatic authentication which persists all over the site is done with the help of cookies and sessions. Let’s understand them one by one.

What are cookies?

Cookies are text files stored on the client machine(eg. web browser) which are useful for tracking purposes. It basically stores some information (which can be key-value pair). These values are used by the server to perform some actions. It allows developers to easily perform long-term user recognition.

Some useful links on cookies -

1. https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
2. https://medium.com/@endan/working-with-http-cookies-d72f1695a913

What are sessions?

A session can be defined as server-side storage of information that is desired to persist throughout the user’s interaction with the web site or web application. You can pass info via URL parameters too, but mostly you don’t want to expose some fields on client-side.

Some useful links on sessions -

1. https://stackoverflow.com/questions/3804209/what-are-sessions-how-do-they-work
2. Detailed explanation on sessions

Theory

Now, you got a basic idea about cookies and sessions. Let’s now ponder over how we should implement this. Essentially you want to save some cookie on client-side, whose value acts as an identifier on the server side where you can authenticate the user.

Implementation

We will use HTTP cookies and Redis as a data store, which will remove old stored sessions after they expire. You can use this for Redis Client

Here we first generate a sessionID which is a random string. We then add a cookie for sessionID via context. You can also add it via http.Request in your handler.

Then, we add a sessionUser which is a struct -

Now, let’s persist the cookie value in our Redis and store the SessionUser object. Here, I set the expiry time in cookie and Redis for 180 seconds. You can change it, (say 24 hours)

How to retrieve and check for cookies?

Once a user hits a URL which requires authentication -

1. We check if we received a cookie
2. Fetch the cookie value
3. Check-in redis if the key exists.
4. Fetch the user and check if Authenticated param is set to true

Since, you want to check the session over multiple pages, adding a middleware seems a better option here. Read about implementing middleware here.

Time to Test

1. Create a /signup route, where you create a session for the user.
2. Create another /profile route, add session auth middleware to this route. You’ll see you can access this page if you are logged in.
3. To refresh the token, use /sign-in page. Create new sessionID there and make a new entry to redis.

Now, you can add sessions to your new project. 😎

Do follow if interested in more technology-oriented stuff. Hope you learned something new. Feel free to suggest changes and improve the blog.

I share updates/knowledge almost daily on twitter. Reach out to me mohitkhare.me

Originally published at https://mohitkhare.me/blog/sessions-in-golang on February 25, 2020.