Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Manager ¶
type Manager struct {
Store // Handles storage and retrieval of session data.
Propagator // Manages transmission of session identifiers in HTTP messages.
CtxSessionKey string // Key for session object storage in request context.
}
The Manager struct acts as a centralized component that orchestrates the session management within a web application. By embedding the Store and Propagator interfaces, it seamlessly combines the functionality of session storage and identifier propagation. The Manager handles the complete lifecycle of a session, which includes creating sessions, storing them, transmitting session identifiers in HTTP messages, and cleaning up as needed. This higher-level struct allows for simplified session management throughout the application, as it encapsulates all the necessary operations within a single entity.
Fields:
- CtxSessionKey: A string that represents the key under which the session object is stored in the context of an HTTP request. This allows middleware and handlers to retrieve the session info from the context using this key, facilitating a standard way of accessing session data during the processing of a request.
The inclusion of both the Store and Propagator interfaces suggests that any instance of Manager is capable of performing all session-related operations defined by these interfaces. This includes generating and managing session data (through the Store interface) and handling the session identifiers across HTTP requests and responses (through the Propagator interface).
Here is an example of how the Manager struct could be initialized and used within an application:
func main() {
// Initialize the session manager with specific implementations of Store and Propagator.
sessionManager := &Manager{
Store: NewRedisStore(), // assuming NewRedisStore returns an implementation of Store
Propagator: NewCookiePropagator("session_id"), // assuming NewCookiePropagator returns an implementation of Propagator
CtxSessionKey: "session", // the key used to store session objects in context
}
// Set up your HTTP server, routes, middleware, etc.,
// and use sessionManager to manage sessions in your application.
}
Through Manager, all handlers and middleware in the application can interact with sessions using a standardized interface without worrying about the underlying storage or communication mechanisms, which are abstracted away by the implementations of Store and Propagator.
Implementers of the Manager struct should ensure that necessary synchronizations or concurrent access handling are considered in their implementations of Store and Propagator to prevent race conditions or data inconsistencies.
func (*Manager) GetSession ¶
GetSession is a method that retrieves the current user's session from the HTTP request and caches it in the context for future use within the scope of the current request processing. This method provides a single entry point for session retrieval, and ensures that the session is loaded only once per request, thereby improving performance and reducing redundant operations.
The flow is as follows:
- It first checks if the UserValues map within the mist.Context is initialized. If not, it initializes the map to store the session object later in the process.
- The method then tries to retrieve the session from the UserValues map using the CtxSessionKey defined in the Manager struct. This is to check if the session was already fetched and cached earlier in the current request lifecycle.
- If the session is found in the map, it is returned immediately, avoiding any further operations.
- If not, the method utilizes the Propagator interface's Extract method to retrieve the session identifier from the incoming HTTP request, which is typically read from a cookie or request header.
- With the session identifier obtained, the method then fetches the actual session data using the Store interface's Get method. This method call also passes along the context from the request to handle any session-related context operations such as deadlines or cancellations.
- After the session is successfully retrieved, it is stored in the UserValues map using the CtxSessionKey for quick access during subsequent calls within the same request lifecycle.
- Finally, the actual session data or an error (if any occurred while retrieving the session identifier or the session data) is returned.
If at any point there is a failure to retrieve the session identifier or the session data, an error is returned to the caller. This method centralizes error handling related to session retrieval, which simplifies the session logic elsewhere in the application.
The mist.Context is assumed to be a custom HTTP context that contains both the standard library context and additional data fields used for managing user-specific values within a single request lifecycle.
Usage: This method should be called by middlewares or handlers that require access to the current user's session. It exempts them from having to handle low-level session extraction and storage mechanisms directly.
func (*Manager) InitSession ¶
InitSession is responsible for creating a new session and associating it with the client who initiated the HTTP request. It is typically called when a new user visits the application and a new session needs to be established. The method leverages the capabilities of the embedded interfaces within the Manager struct to generate a unique session identifier, create a new session, and transmit this session identifier back to the client for future interactions.
The process involves the following steps:
- Generate a new unique identifier for the session using a universally unique identifier (UUID) library.
- With the new session identifier, the method calls the Generate method of the embedded Store interface to actually create a new session in the session store. This session creation is supposed to associate the generated UUID with a new session object and store it in whatever storage mechanism the Store interface implementation uses (e.g., in-memory, database, etc.). The request context is provided to handle any necessary context operations such as deadlines or request cancellations.
- If an error occurs during session generation (e.g., database error, context deadline exceeded), this error is returned to the caller and no further steps are taken.
- Should the session generation be successful, the new identifier is then propagated to the client using the Inject method of the Propagator interface which is part of the Manager. This step typically involves setting a cookie or an HTTP header in the response so that the client can include this identifier in subsequent requests to maintain the session context.
- The new session object is returned to the caller along with any error that might occur during the identifier injection process (though no error is expected in creating a new session at this point, errors might occur while setting an HTTP response header or cookie).
It's important for the implementer to note that after this method is called, the client must include the session identifier in subsequent requests, and the server will need to handle this identifier to retrieve the associated session from the store.
The mist.Context parameter provides request-specific information including the Request and ResponseWriter which are used to retrieve and set information related to the session. This context is assumed to be part of a custom processing pipeline that allows easy access and manipulation of HTTP request and response data.
Usage: This method should be called when a new user session needs to be initiated. Typically, it would be invoked within the authentication process, or when a session is not found for a request and needs to be created.
Example:
http.HandleFunc("/login", func(w http.ResponseWriter, r *http.Request) {
ctx := mist.NewContext(r, w)
session, err := sessionManager.InitSession(ctx)
if err != nil {
// Handle error
}
// Session initialized successfully, store session data or modify response as needed.
})
func (*Manager) RefreshSession ¶
RefreshSession is a method that updates an existing session's expiry time to extend its life. This is commonly referred to as "session refresh" or "session regeneration" and is a critical security practice to prevent "session fixation" attacks. It is typically used in scenarios where the application wants to ensure that the session remains valid, such as after a user performs a sensitive action or after a fixed interval of time.
The session is refreshed using the following process:
- Retrieve the current session associated with the request by calling the GetSession method. This uses the context and the mechanisms provided by the Propagator and Store interfaces to locate the session data.
- If an error is encountered during session retrieval, such as when the session does not exist or the session identifier is invalid, the error is immediately returned and the refresh operation is aborted.
- Assuming the session is retrieved successfully, the method proceeds to refresh the session's expiry time by calling the Refresh method of the Store interface. The Store interface's Refresh method is implemented by the session storage mechanism (e.g., a database) and is responsible for updating the session's expiry time within the storage backend.
- The Refresh method takes the session ID obtained from the retrieved session and the request context (to allow for timeout or cancelation) as parameters.
- An error is returned if the attempt to refresh the session fails; otherwise, nil is returned, indicating a successful refresh.
It is important to design the underlying Store implementation to handle the refresh operation atomically to avoid any race conditions or inconsistencies.
The mist.Context is assumed to be a custom object that encapsulates the standard Go context and additional information pertaining to the HTTP request cycle (for example, HTTP request and response accessor methods).
Usage: This method should be used when you need to prolong a user's session after some event or at regular intervals during their interaction with the application. It is most commonly placed within middleware or wrapped within handler functions that trigger the refresh logic.
Here's an example of how to use RefreshSession within an HTTP handler function:
http.HandleFunc("/dashboard", func(w http.ResponseWriter, r *http.Request) {
ctx := mist.NewContext(r, w)
err := sessionManager.RefreshSession(ctx)
if err != nil {
// Handle error (e.g., redirect to login page)
}
// Proceed with handling the request, knowing the session has been refreshed.
})
func (*Manager) RemoveSession ¶
RemoveSession is a method designed to delete a user's session from the session store and to clear any session identifiers from the client's context, effectively logging the user out. This can be a critical function for user security, ensuring sessions are properly terminated when a user logs out or when their session should be invalidated for other reasons, such as after changing a password, after a period of inactivity, or for administrative logout purposes.
The flow of the session removal process operates as follows:
- Attempt to retrieve the existing session from the mist.Context by calling the GetSession method of the Manager struct, which retrieves session data based on a session identifier found in the client's request.
- If this retrieval fails (for example, if the session has already expired or does not exist), an error is returned immediately and no further action is taken.
- Once the session is successfully retrieved, the Manager struct's embedded Store interface is used to remove the session data from the persistent session storage via the Store.Remove method. This requires the context from the current HTTP request (for deadline or cancellation purposes) and the session ID.
- An error from the Store.Remove operation (which might indicate that the session data could not be deleted, for instance, due to a database error) is also returned immediately, preventing the process from continuing.
- Assuming the session has been removed from storage without errors, the Manager struct's embedded Propagator interface performs the final step of the process. The Propagator.Remove method is called to clear any session identifiers from the client's environment, such as by clearing the client's session cookie or other client-side storage. This ensures that the session cannot be reused.
- Finally, the method returns nil to indicate that the session was successfully removed, or it returns an error if the Propagator.Remove operation failed.
The input parameter mist.Context is a custom HTTP context type which provides access to the HTTP request and response objects along with additional utilities. This method manipulates both the response to clear client identifiers and the session store for backend operations.
Usage: This method is called when a session needs to be unequivocally terminated, such as during a logout process. It is often paired with authentication middleware or within an HTTP handler that processes logout requests.
Example usage within an HTTP handler:
http.HandleFunc("/logout", func(w http.ResponseWriter, r *http.Request) {
ctx := mist.NewContext(r, w)
if err := sessionManager.RemoveSession(ctx); err != nil {
// Handle errors: maybe log the error and redirect to the home page?
}
// Successful removal: redirect to login page or confirm logout.
})
type Propagator ¶
type Propagator interface {
Inject(id string, writer http.ResponseWriter) error // Add a session identifier to the HTTP response
Extract(req *http.Request) (string, error) // Retrieve a session identifier from the HTTP request
Remove(writer http.ResponseWriter) error // Delete a session identifier from the HTTP response
}
The Propagator interface defines methods responsible for managing the propagation of session identifiers across HTTP requests and responses in a web application. This interface abstracts the operations of adding, retrieving, and deleting a session identifier (such as a cookie or a token) to and from HTTP requests and responses, thereby allowing session tracking and management universally across different systems and components. Methods:
- Inject(id string, writer http.ResponseWriter) error: Inserts a session identifier 'id' into an outgoing HTTP response using the provided ResponseWriter. This is typically used to set a cookie or an HTTP header that contains the session identifier, enabling the client (e.g., a web browser) to return the identifier in subsequent requests to maintain the session state. If there's an issue writing to the response (e.g., headers already written), the method should return an error.
- Extract(req *http.Request) (string, error): Analyzes an incoming HTTP request and extracts the session identifier. This is commonly used to read a cookie or a header from the request, validating its presence and perhaps its format or integrity. If the session identifier is successfully retrieved, it is returned; otherwise, an error is returned, which may indicate that the session identifier is not present or invalid.
- Remove(writer http.ResponseWriter) error: Clears the session identifier from the outgoing HTTP response, effectively terminating the session from the server's perspective. This is generally implemented by invalidating a cookie or clearing a header in the response. If there's a problem modifying the response (e.g., if it's too late to change headers), the method should return an error.
Session identifiers are typically compact and should be handled in a secure manner to prevent security vulnerabilities such as Session Hijacking or Session Fixation. Implementers should ensure that identifiers are properly encrypted or signed and handled over secure channels when necessary. An example implementation might look like:
type CookiePropagator struct {
// CookieName defines the name of the cookie to be used for session identification.
CookieName string
// Other configuration for the cookie such as Domain, Path, Secure flags, etc.
}
func (cp *CookiePropagator) Inject(id string, writer http.ResponseWriter) error {
// ... set cookie with the session id ...
}
func (cp *CookiePropagator) Extract(req *http.Request) (string, error) {
// ... read and return the session id from the request cookie ...
}
func (cp *CookiePropagator) Remove(writer http.ResponseWriter) error {
// ... invalidate the cookie to remove the session ...
}
This interface is essential for ensuring session continuity and coherence in stateful web applications, providing a high-level abstraction over the raw HTTP mechanisms used underneath.
type Session ¶
type Session interface {
Get(ctx context.Context, key string) (any, error) // Retrieve a value from the session
Set(ctx context.Context, key string, value any) error // Store a value in the session
ID() string // Return the session's unique identifier
}
Session is an interface that defines the contract for a session management system. In web applications, a session represents a single user's interactions with the application across multiple requests. It is used to store and retrieve data specific to a user or session scope. The Session interface allows for getting and setting of session values and retrieval of a unique session identifier. Session implementations should handle concurrency and provide some form of persistence mechanism, which could range from in-memory storage to database-backed solutions. These operations are context-aware, allowing them to participate in context-specific lifecycles, such as request timeouts or cancellations. Methods:
- Get(ctx context.Context, key string) (any, error): Retrieves a value from the session data. The 'key' argument specifies which value to retrieve. If the key does not exist, the method should return nil without error. An error is returned only if there is a problem with the retrieval process itself, not if the key is merely absent.
- Set(ctx context.Context, key string, value any) error: Assigns a 'value' to a 'key' in the session data. If the 'key' already exists, the value should be overwritten. As with 'Get', any context-related behavior should be handled within this method. If there is an error while setting the value (e.g., write failure), an error should be reported back to the caller.
- ID() string: This method returns the unique identifier for the session. Typically, this identifier is generated when the session is first created and remains constant throughout the session's lifecycle. The ID is used to link a session to a specific user or interaction sequence.
Usage and Implementation Notes: The 'Session' type assumes 'any' type for stored values, allowing for flexibility in what kinds of data can be stored in the session. However, the underlying implementation needs to ensure proper serialization and deserialization of these values as sessions may be persisted across different requests and even server restarts. It is important to ensure thread safety within the methods if the session store is accessed concurrently. Sessions should also handle cleanup and invalidation as necessary, and the implementation should detail how long session values persist (e.g., expiry time, persistent or ephemeral storage). As an example, an implementation could use a synchronized map structure to store session values, with an additional expiration timestamp to handle session lifetimes:
type InMemorySession struct {
id string
values sync.Map // Thread-safe map to store session values
expiry time.Time // Expiration time of the session
// ... additional session properties and mutexes ...
}
func (s *InMemorySession) Get(ctx context.Context, key string) (any, error) {
// ... retrieve value from the session ...
}
func (s *InMemorySession) Set(ctx context.Context, key string, value any) error {
// ... set value in the session ...
}
func (s *InMemorySession) ID() string {
return s.id
}
The above example provides a simple template for how session data can be managed within a web application. It emphasizes the importance of thread-safe data access and context management.
type Store ¶
type Store interface {
Generate(ctx context.Context, id string) (Session, error) // Create a new session
Refresh(ctx context.Context, id string) error // Extend a session's life
Remove(ctx context.Context, id string) error // Delete an existing session
Get(ctx context.Context, id string) (Session, error) // Retrieve a session's data
}
The Store interface defines a set of methods for session management in an application. This interface requires any session store implementation to create, refresh, remove, and retrieve sessions. A session typically represents a period of interaction between a user and an application and can hold crucial data such as user identity, preferences, and application state. The operations to manipulate these sessions are context-aware, meaning they can be cancelled, have timeouts attached to them, or carry request-scoped values via the provided context.Context object. This interface allows an application to abstract away the details of how sessions are stored and managed, whether it's in memory, a database, a file system, or some other form of storage. Methods:
- Generate(ctx context.Context, id string) (Session, error): Responsible for creating a new session with the given identifier 'id'. It returns the newly created Session object and any error encountered during the creation process. This is typically called during user login or initial interaction.
- Refresh(ctx context.Context, id string) error: Updates an existing session's expiration or last active time, if applicable, to prevent the session from expiring. This is typically used for extending user sessions to keep them logged in or maintaining their state.
- Remove(ctx context.Context, id string) error: Deletes a session from the store, effectively logging out the user or clearing any state stored in the session. This occurs when a user explicitly logs out or when a session needs to be invalidated for security reasons.
- Get(ctx context.Context, id string) (Session, error): Retrieves the session associated with the given identifier 'id'. It returns the Session object if it exists and any error that occurs during the retrieval. This is called whenever an application needs to access the session data for a request.
The 'Session' type mentioned in the methods is expected to be an interface or a struct that encapsulates the session data. The specific implementation of 'Session' will depend on the application's requirements. Note that this interface does not specify how to handle session collision or the specifics of session expiration details. Implementations of this interface should ensure these aspects are handled according to their needs and document any specific behaviors. Example Implementation: An in-memory store could implement the Store interface like so:
type InMemoryStore struct {
sessions map[string]Session
lock sync.RWMutex
// ... additional fields and methods ...
}
func (s *InMemoryStore) Generate(ctx context.Context, id string) (Session, error) {
// ... generate and store a new session ...
}
func (s *InMemoryStore) Refresh(ctx context.Context, id string) error {
// ... refresh session expiration time ...
}
func (s *InMemoryStore) Remove(ctx context.Context, id string) error {
// ... remove session from store ...
}
func (s *InMemoryStore) Get(ctx context.Context, id string) (Session, error) {
// ... retrieve a session based on the id ...
}
The above interface abstraction enables one to switch session store implementations with minimal changes to the overall application logic, providing flexibility and scalability for session management strategies.
Source Files
Directories