how to manage authenticated sessions?

blov · · 509 次点击    
这是一个分享于 的资源,其中的信息可能已经有所发展或是发生改变。
<p>I need some help related to my web application project which is built using Negroni library, if that matters. The application needs to be authenticated against external server using LDAP and that part is okay. I was reading through several tutorials and other help pages describing how to manage user sessions but those invariably go into describing how to accept username password and then create keys and stuff and in some cases, even email confirmation.</p> <p>I was looking for something very simple and I was hoping you could point me to a library or page which I could use. So, I have this function which does the LDAP stuff returns true on successful LDAP auth: func authenticate( username string, password string) bool</p> <p>I created a handler for login form which handles the login form</p> <pre><code>func login(w http.ResponseWriter, r *http.Request, p httprouter.Params) if r.Method == &#34;POST&#34; { if err := r.ParseForm(); err != nil { w.WriteHeader(http.StatusInternalServerError) log.Println(&#34;Form parsing failure&#34;) return } username := r.PostFormValue(&#34;username&#34;) password := r.PostFormValue(&#34;password&#34;) if username != &#34;&#34; &amp;&amp; password != &#34;&#34; { if authenticate(username, password) { log.Println(&#34;successful authentication: &#34;, username) } else { log.Println(&#34;failed authentication&#34;) } } } } </code></pre> <p>I am unable to fit this with rest of the stuff. I have not done web applications in the past so not clear about sessions. I need to be able to start session for a user and remember via cookie that user is already logged in. In other pages like &#34;/home&#34; I will need to print a message at the top saying &#34;logged in as: some_username&#34; Lastly users should be able to logout. Any pointers will be of great help.</p> <hr/>**评论:**<br/><br/>ikofai: <pre><p>Take a look at the following; these should help you in learning and bootstrapping your new web app:</p> <p><a href="" rel="nofollow"></a> <a href="" rel="nofollow"></a></p></pre>ikofai: <pre><p>If you need more guidance or have questions feel free to ask! </p></pre>Have_No_Name: <pre><p>I reviewed the authboss and the sample program. It is a good package overall with rich feature-set. Couple of things I could not understand from sample: It appears to use Google as authentication provider. I need to replace it with the proprietary LDAP authenticator function like I described in my original post.</p> <p>Then it appears that the login/logout pages are automatically provided by authboss and I got no say in it. </p> <p>I already have a login form and the handler function for that form. In the handler function I call my authenticate() which returns TRUE if the username+password were correct.</p> <p>I don&#39;t know what to do next in that handler function. Possibly a silly question. From what I have been reading, I need to create a token and start a session. I have no idea how to do that. Thanks in advance!</p></pre>ecmdome: <pre><p>Write a middleware with Negroni and use something like gorilla/sessions to help you manage the sessions.</p> <p><a href="" rel="nofollow"></a></p> <p>Edit: woops meant to respond to the main thread.</p></pre>Have_No_Name: <pre><p>I am also exploring <a href="" rel="nofollow"></a> which seems promising as well.</p></pre>Have_No_Name: <pre><p>Tried following <a href="" rel="nofollow"></a> and example <a href="" rel="nofollow"></a> The implementation is partially working. The session is maintained through browser restarts ( even when there is no cookie). Not sure if this intentional. This is probably not working as securely as I would have liked and I might need to do more study. But for now, I am unblocked and can go ahead and add more features. I will revisit the authentication later again to improve it further. Thank you everyone for the suggestion.</p></pre>barsonme: <pre><blockquote> <p>I need to be able to start session for a user and remember via cookie that user is already logged in.</p> </blockquote> <p>Once the user successfully validates their username + password...</p> <p>Give the user an encrypted + authenticated cookie with a session id (random 256 bit number), authentication token (random 256 bit number), expiration time (<code>timeNow().Unix()</code>), and whatever other pertinent info you need.</p> <p>Store that information in redis or another database.</p> <p>Create some middleware that does something like:</p> <pre><code>func APIAuth(handle httprouter.Handle) httprouter.Handle { return func(w http.ResponseWriter, r *http.Request, ps httprouter.Params) { // retrieve from database if ValidAuth() { handle(w, r, ps) } else { // reject } } } </code></pre></pre>danhardman: <pre><p>I use JSON Web Tokens on my app that contain the current user&#39;s ID. Once the user logs in they get provided with a JWT which is that passed in the header of every request from then onwards. </p> <p>If I wanted to get the current user details, I would send a GET request to foo/currentuser and the API would use the ID from the JWT to pull out the current user.</p></pre>
509 次点击  
加入收藏 微博
添加一条新回复 (您需要 登录 后才能回复 没有账号 ?)
  • 请尽量让自己的回复能够对别人有帮助
  • 支持 Markdown 格式, **粗体**、~~删除线~~、`单行代码`
  • 支持 @ 本站用户;支持表情(输入 : 提示),见 Emoji cheat sheet
  • 图片支持拖拽、截图粘贴等方式上传