<p>Hi,</p>
<p>I'm using GoRestful package to create REST APIs and using the LDAP package to authenticate users. When a user is authenticated, I want to start a session for the user and have the session expire after 1 day.</p>
<p>I've got authentication working as well as my REST APIs but I have no idea where and how to start with sessions, any advice on this?</p>
<p>I tried using the "gorilla/sessions" package but was running into an issues with getting/setting the session value (invalid params).</p>
<p>Thanks</p>
<hr/>**评论:**<br/><br/>skarlso: <pre><p>Actually, sessions are a bad practice when facing a REST API. </p>
<p>REST is / should be stateless. Meaning, every request should be able to identify themselves after an authentication happened. </p>
<p>Either via access_tokens in the header, or via <a href="http://tools.ietf.org/html/rfc6750">Bearer - Tokens</a>, SSL and <a href="http://oauth.net/2/">OAuth 2</a>.</p>
<p>Having a session really defeats the purpose of having a REST implemented. </p>
<p>$0.02.</p></pre>PleaseDismantle: <pre><p><a href="https://github.com/Throckmortra/soysos" rel="nofollow">https://github.com/Throckmortra/soysos</a></p>
<p>this is still very rough, but you may find some helpful stuff there. Userresource is the route resource for auth and getting a token. You can find my SQLite db stuff for managing tokens in database.go. Sessions.go is a misnomer, it only contains the UUID generators I've been playing with for creating the session tokens. </p>
<p>My idea was to establish sessions with tokens and then expire the tokens by checking the database hourly and getting rid of any tokens that are older than 12 hours. </p>
<p>You could take this a different direction and throw a goroutine for each session. That seemed like overkill though.</p></pre>
