Idiomatic session middleware

<p>So I am currently writing a small webapp just to teach myself how to make a webapp with go. The problem I encountered is how to handle sessions and users in a nice way.</p> <p>My first try duplicated all the code that extracts the session, checks if user is logged in etc. in every single page. This caused quite a lot of problems with maintainability and ease of use as you can expect.</p> <p>So after this I went searching for how to manage this properly. A lot of options however couldn&#39;t really do what I needed though (redirecting) while saving sessions.</p> <p>So I ended up writing my own session middleware. Using &#34;golang.org/x/net/context&#34; was a must for me since it <a href="https://github.com/golang/go/issues/14660" rel="nofollow">will be integrated</a> in the standard library with go1.7. I ended up using <a href="https://goji.io/" rel="nofollow">Goji</a> to manage this for me.</p> <p>The code for my middleware can be found here: <a href="http://pastebin.com/9Q9vzHMe" rel="nofollow">http://pastebin.com/9Q9vzHMe</a></p> <p>I wonder if you guys think this middleware is this the proper way to do it or are there better methods.</p> <hr/>**评论：**<br/><br/>Injunire: <pre><p>I have been using <a href="https://github.com/apexskier/httpauth" rel="nofollow">https://github.com/apexskier/httpauth</a> for a project and found it to work great. It ties into a http.Handler so works with the standard library and any packages using this interface.</p></pre>cluelessgopher: <pre><p>I use oauth2 which is what caused all the problems since you need to redirect users. If you redirect and then save session it doesn&#39;t seem to work, that is the main reason I ended up writing my own middleware.</p></pre>thewhitetulip: <pre><p>I had tried httpauth but didn&#39;t like it and oauth2 isn&#39;t suitable for offline webapps. so used gorilla/sessions, but until a few days ago hadn&#39;t found a good enough tutorial, I wrote a small app to learn how to do web dev in Go, <a href="http://github.com/thewhitetulip/Tasks" rel="nofollow">http://github.com/thewhitetulip/Tasks</a></p> <p>check the sessions package, <a href="http://github.com/thewhitetulip/Tasks/sessions" rel="nofollow">http://github.com/thewhitetulip/Tasks/sessions</a> and the views, <a href="http://github.com/thewhitetulip/Tasks/sessionViews.go" rel="nofollow">http://github.com/thewhitetulip/Tasks/sessionViews.go</a></p> <p>The code needs refactoring, will add middleware to check sessions as per this comment <a href="https://www.reddit.com/r/golang/comments/4ihjk7/added_session_handling_function_in_my_app/d2ywkpp" rel="nofollow">https://www.reddit.com/r/golang/comments/4ihjk7/added_session_handling_function_in_my_app/d2ywkpp</a></p> <p>I am yet to use the context package to identify users, but within a month or so my book for teaching intro to webapp with go will be complete</p> <p>link: <a href="http://github.com/thewhitetulip/web-dev-golang-anti-textbook/" rel="nofollow">http://github.com/thewhitetulip/web-dev-golang-anti-textbook/</a></p> <p>I&#39;d love to get some content contributed from your learnings about the context library/sessions.</p></pre>tmornini: <pre><p>If you know HTML/CSS/Javascript well you&#39;ll be much happier if you split the application into front-end static files that use Javascript to make requests against a backend API written in Go.</p> <p>Sessions are abominations created to easy the of the transition from pre-HTTP application design to post-HTTP application design.</p> <p>I apologize in advance if it sounds like I&#39;m talking down to you, but please understand that I&#39;m throwing you a role to pull you to a better and more productive development environment.</p></pre>neoasterisk: <pre><p>I am all for Go as API and web stuff in the front but sometimes you just cannot avoid sessions. It depends on the feature you are trying to make.</p></pre>tmornini: <pre><p>Your statement is 100% false and completely misses the point of HTTP.</p> <p>I know, because I thought las you did once...and now realize just how wrong I was.</p></pre>interactiv_: <pre><p>But you didn&#39;t explain why he is false. There is only 2 options : </p> <ul> <li><p>json web token (needs javascript)</p></li> <li><p>appending a token to every link in the app (unsecure)</p></li> </ul> <p>Sometimes, sessions are more conveniant.</p></pre>