• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

fuzz/H24-Feb-2017-

.travis.ymlH A D24-Feb-2017304

LICENSEH A D24-Feb-20171.4 KiB

README.mdH A D24-Feb-20172.8 KiB

doc.goH A D24-Feb-20172.1 KiB

fuzz.goH A D24-Feb-2017413

securecookie.goH A D24-Feb-201719.4 KiB

securecookie_test.goH A D24-Feb-20177.3 KiB

README.md

1securecookie
2============
3[![GoDoc](https://godoc.org/github.com/gorilla/securecookie?status.svg)](https://godoc.org/github.com/gorilla/securecookie) [![Build Status](https://travis-ci.org/gorilla/securecookie.png?branch=master)](https://travis-ci.org/gorilla/securecookie)
4[![Sourcegraph](https://sourcegraph.com/github.com/gorilla/securecookie/-/badge.svg)](https://sourcegraph.com/github.com/gorilla/securecookie?badge)
5
6
7securecookie encodes and decodes authenticated and optionally encrypted
8cookie values.
9
10Secure cookies can't be forged, because their values are validated using HMAC.
11When encrypted, the content is also inaccessible to malicious eyes. It is still
12recommended that sensitive data not be stored in cookies, and that HTTPS be used
13to prevent cookie [replay attacks](https://en.wikipedia.org/wiki/Replay_attack).
14
15## Examples
16
17To use it, first create a new SecureCookie instance:
18
19```go
20// Hash keys should be at least 32 bytes long
21var hashKey = []byte("very-secret")
22// Block keys should be 16 bytes (AES-128) or 32 bytes (AES-256) long.
23// Shorter keys may weaken the encryption used.
24var blockKey = []byte("a-lot-secret")
25var s = securecookie.New(hashKey, blockKey)
26```
27
28The hashKey is required, used to authenticate the cookie value using HMAC.
29It is recommended to use a key with 32 or 64 bytes.
30
31The blockKey is optional, used to encrypt the cookie value -- set it to nil
32to not use encryption. If set, the length must correspond to the block size
33of the encryption algorithm. For AES, used by default, valid lengths are
3416, 24, or 32 bytes to select AES-128, AES-192, or AES-256.
35
36Strong keys can be created using the convenience function GenerateRandomKey().
37
38Once a SecureCookie instance is set, use it to encode a cookie value:
39
40```go
41func SetCookieHandler(w http.ResponseWriter, r *http.Request) {
42	value := map[string]string{
43		"foo": "bar",
44	}
45	if encoded, err := s.Encode("cookie-name", value); err == nil {
46		cookie := &http.Cookie{
47			Name:  "cookie-name",
48			Value: encoded,
49			Path:  "/",
50			Secure: true,
51			HttpOnly: true,
52		}
53		http.SetCookie(w, cookie)
54	}
55}
56```
57
58Later, use the same SecureCookie instance to decode and validate a cookie
59value:
60
61```go
62func ReadCookieHandler(w http.ResponseWriter, r *http.Request) {
63	if cookie, err := r.Cookie("cookie-name"); err == nil {
64		value := make(map[string]string)
65		if err = s2.Decode("cookie-name", cookie.Value, &value); err == nil {
66			fmt.Fprintf(w, "The value of foo is %q", value["foo"])
67		}
68	}
69}
70```
71
72We stored a map[string]string, but secure cookies can hold any value that
73can be encoded using `encoding/gob`. To store custom types, they must be
74registered first using gob.Register(). For basic types this is not needed;
75it works out of the box. An optional JSON encoder that uses `encoding/json` is
76available for types compatible with JSON.
77
78## License
79
80BSD licensed. See the LICENSE file for details.
81