Traditionally, authentication—or simple authentication—works with sessions. The flow starts like this. A client sends an authentication request to the server using user credentials. The server takes those credentials and matches them with the credentials stored on the server. If a match is successful, it writes something called a cookie in the response. This cookie is a small piece of information that is transferred by the client for all subsequent requests. Modern websites are being designed to be single-page applications (SPAs). In those websites, static assets such as HTML and JavaScript files are served from a Content Delivery Network (CDN) to render the web page initially. After that, the communication between the web page and application server happens only through the REST API/web services.
A session is a nice way to record user communication in a given period of time. A session is a concept whereby authentication information is stored in a cookie. The following diagram explains what happens in a basic session-based authentication:
Now, let's look at a practical approach. A Client (for example, a browser) sends a request to the Login API of the Server. The server tries to check those credentials with the database and, if the credentials exist, writes a cookie back onto the response saying that this user is authenticated.
A cookie is a message consumed by the server at a later point in time. When the client receives the response, it stores that cookie locally. After that, the client can ask for resources from the server by showing the cookie as the key for passage.
When a client decides to terminate the session, it calls the logout API on the server. The server destroys the session in the response. This process is repeated for every login/logout. The server can also place an expiration on cookies so that the authentication window is valid for a certain time if there is no activity. This is how many websites work.
Now, we'll try to implement one such system using the gorilla/sessions package. We already learned about gorilla/mux in the initial chapters. We need to install the package first by using the following command:
go get github.com/gorilla/mux
go get github.com/gorilla/sessions
Alternatively, we could do this by using the Dep tool, as follows:
dep init
dep ensure -add github.com/gorilla/mux
dep ensure -add github.com/gorilla/sessions
We can create a new session using the NewCookieStore method from the sessions package, like this:
var store = sessions.NewCookieStore([]byte("secret_key"))
That secret_key should be the key that gorilla/sessions uses to encrypt the session cookies. If we add a session as a normal text, anyone can read it. So, the server needs to encrypt a message to a random string. For that, it asks to provide a secret key. This secret key can be any randomly generated string.
Keeping secret keys in code is not a good idea, so we try to store it as an environment variable and read it in code on the fly. In the next section, we'll look at an example of session authentication.