Golang: Crypto sign cookies for security

Supermighty · · 1560 次点击 · · 开始浏览    
这是一个创建于 的文章,其中的信息可能已经有所发展或是发生改变。

You can improve the security of your Go web application by cryptographically signing cookies using sugarcookie. A small library used to for signing cookie values that you can verify and trust on a user's return visit. This gives you strong trust and allows you to decouple the cookie from a session on a specific server.

The signed cookie consists of a a secret value, a timestamp, and a unique identifier; which is one-way hashed, then concatenated with the timestam and unique identifer. Then everything is base64 encoded making it suitable for storing in a cookie.


hash := sha256.Sum256([]byte(secret + strconv.FormatInt(t, 10) + uniqueUserId))
value := hex.EncodeToString(hash[:]) + "-" + strconv.FormatInt(t, 10) + "-" + uniqueUserId
signature := base64.StdEncoding.EncodeToString([]byte(value))

You verify the cookie is valid by replaying the hash with the secret and the supplied timestamp and unique ID.

Including the time as part of the hash means you can use it as a secondary mechanism to invalidate the cookie. If it's too old, maybe an half an hour, you know it's no longer good, no need to test it; just invalidate it.


有疑问加站长微信联系(非本文作者)

本文来自:Walled City

感谢作者:Supermighty

查看原文:Golang: Crypto sign cookies for security

入群交流(和以上内容无关):加入Go大咖交流群,或添加微信:liuxiaoyan-s 备注:入群;或加QQ群:692541889

1560 次点击  
加入收藏 微博
上一篇:Go Workflow
下一篇:Golang Hosting
0 回复
暂无回复
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传