1// Copyright 2012 The Gorilla Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5/*
6Package sessions provides cookie and filesystem sessions and
7infrastructure for custom session backends.
8
9The key features are:
10
11	* Simple API: use it as an easy way to set signed (and optionally
12	  encrypted) cookies.
13	* Built-in backends to store sessions in cookies or the filesystem.
14	* Flash messages: session values that last until read.
15	* Convenient way to switch session persistency (aka "remember me") and set
16	  other attributes.
17	* Mechanism to rotate authentication and encryption keys.
18	* Multiple sessions per request, even using different backends.
19	* Interfaces and infrastructure for custom session backends: sessions from
20	  different stores can be retrieved and batch-saved using a common API.
21
22Let's start with an example that shows the sessions API in a nutshell:
23
24	import (
25		"net/http"
26		"github.com/gorilla/sessions"
27	)
28
29	// Note: Don't store your key in your source code. Pass it via an
30	// environmental variable, or flag (or both), and don't accidentally commit it
31	// alongside your code. Ensure your key is sufficiently random - i.e. use Go's
32	// crypto/rand or securecookie.GenerateRandomKey(32) and persist the result.
33	var store = sessions.NewCookieStore(os.Getenv("SESSION_KEY"))
34
35	func MyHandler(w http.ResponseWriter, r *http.Request) {
36		// Get a session. Get() always returns a session, even if empty.
37		session, err := store.Get(r, "session-name")
38		if err != nil {
39			http.Error(w, err.Error(), http.StatusInternalServerError)
40			return
41		}
42
43		// Set some session values.
44		session.Values["foo"] = "bar"
45		session.Values[42] = 43
46		// Save it before we write to the response/return from the handler.
47		session.Save(r, w)
48	}
49
50First we initialize a session store calling NewCookieStore() and passing a
51secret key used to authenticate the session. Inside the handler, we call
52store.Get() to retrieve an existing session or a new one. Then we set some
53session values in session.Values, which is a map[interface{}]interface{}.
54And finally we call session.Save() to save the session in the response.
55
56Note that in production code, we should check for errors when calling
57session.Save(r, w), and either display an error message or otherwise handle it.
58
59Save must be called before writing to the response, otherwise the session
60cookie will not be sent to the client.
61
62That's all you need to know for the basic usage. Let's take a look at other
63options, starting with flash messages.
64
65Flash messages are session values that last until read. The term appeared with
66Ruby On Rails a few years back. When we request a flash message, it is removed
67from the session. To add a flash, call session.AddFlash(), and to get all
68flashes, call session.Flashes(). Here is an example:
69
70	func MyHandler(w http.ResponseWriter, r *http.Request) {
71		// Get a session.
72		session, err := store.Get(r, "session-name")
73		if err != nil {
74			http.Error(w, err.Error(), http.StatusInternalServerError)
75			return
76		}
77
78		// Get the previous flashes, if any.
79		if flashes := session.Flashes(); len(flashes) > 0 {
80			// Use the flash values.
81		} else {
82			// Set a new flash.
83			session.AddFlash("Hello, flash messages world!")
84		}
85		session.Save(r, w)
86	}
87
88Flash messages are useful to set information to be read after a redirection,
89like after form submissions.
90
91There may also be cases where you want to store a complex datatype within a
92session, such as a struct. Sessions are serialised using the encoding/gob package,
93so it is easy to register new datatypes for storage in sessions:
94
95	import(
96		"encoding/gob"
97		"github.com/gorilla/sessions"
98	)
99
100	type Person struct {
101		FirstName	string
102		LastName 	string
103		Email		string
104		Age			int
105	}
106
107	type M map[string]interface{}
108
109	func init() {
110
111		gob.Register(&Person{})
112		gob.Register(&M{})
113	}
114
115As it's not possible to pass a raw type as a parameter to a function, gob.Register()
116relies on us passing it a value of the desired type. In the example above we've passed
117it a pointer to a struct and a pointer to a custom type representing a
118map[string]interface. (We could have passed non-pointer values if we wished.) This will
119then allow us to serialise/deserialise values of those types to and from our sessions.
120
121Note that because session values are stored in a map[string]interface{}, there's
122a need to type-assert data when retrieving it. We'll use the Person struct we registered above:
123
124	func MyHandler(w http.ResponseWriter, r *http.Request) {
125		session, err := store.Get(r, "session-name")
126		if err != nil {
127			http.Error(w, err.Error(), http.StatusInternalServerError)
128			return
129		}
130
131		// Retrieve our struct and type-assert it
132		val := session.Values["person"]
133		var person = &Person{}
134		if person, ok := val.(*Person); !ok {
135			// Handle the case that it's not an expected type
136		}
137
138		// Now we can use our person object
139	}
140
141By default, session cookies last for a month. This is probably too long for
142some cases, but it is easy to change this and other attributes during
143runtime. Sessions can be configured individually or the store can be
144configured and then all sessions saved using it will use that configuration.
145We access session.Options or store.Options to set a new configuration. The
146fields are basically a subset of http.Cookie fields. Let's change the
147maximum age of a session to one week:
148
149	session.Options = &sessions.Options{
150		Path:     "/",
151		MaxAge:   86400 * 7,
152		HttpOnly: true,
153	}
154
155Sometimes we may want to change authentication and/or encryption keys without
156breaking existing sessions. The CookieStore supports key rotation, and to use
157it you just need to set multiple authentication and encryption keys, in pairs,
158to be tested in order:
159
160	var store = sessions.NewCookieStore(
161		[]byte("new-authentication-key"),
162		[]byte("new-encryption-key"),
163		[]byte("old-authentication-key"),
164		[]byte("old-encryption-key"),
165	)
166
167New sessions will be saved using the first pair. Old sessions can still be
168read because the first pair will fail, and the second will be tested. This
169makes it easy to "rotate" secret keys and still be able to validate existing
170sessions. Note: for all pairs the encryption key is optional; set it to nil
171or omit it and and encryption won't be used.
172
173Multiple sessions can be used in the same request, even with different
174session backends. When this happens, calling Save() on each session
175individually would be cumbersome, so we have a way to save all sessions
176at once: it's sessions.Save(). Here's an example:
177
178	var store = sessions.NewCookieStore([]byte("something-very-secret"))
179
180	func MyHandler(w http.ResponseWriter, r *http.Request) {
181		// Get a session and set a value.
182		session1, _ := store.Get(r, "session-one")
183		session1.Values["foo"] = "bar"
184		// Get another session and set another value.
185		session2, _ := store.Get(r, "session-two")
186		session2.Values[42] = 43
187		// Save all sessions.
188		sessions.Save(r, w)
189	}
190
191This is possible because when we call Get() from a session store, it adds the
192session to a common registry. Save() uses it to save all registered sessions.
193*/
194package sessions
195