lostecho/build-web-application-with-golang
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add en/0.6.x.md syntax highlighting

Browse Source
This commit is contained in:
vCaesar
2017-05-20 17:56:20 +08:00
parent 919364cfe3
commit 19c6592848
4 changed files with 45 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
en/06.1.md
View File

@@ -35,11 +35,11 @@ If your application does set an expiry time (for example, setMaxAge(60*60*24)),
## Set cookies in Go
Go uses the `SetCookie` function in the `net/http` package to set cookies:
```Go
http.SetCookie(w ResponseWriter, cookie *Cookie)
```
`w` is the response of the request and cookie is a struct. Let's see what it looks like:
```Go
type Cookie struct {
Name string
Value string
@@ -57,27 +57,27 @@ Go uses the `SetCookie` function in the `net/http` package to set cookies:
Raw string
Unparsed []string // Raw text of unparsed attribute-value pairs
}
```
Here is an example of setting a cookie:
```Go
expiration := time.Now().Add(365 * 24 * time.Hour)
cookie := http.Cookie{Name: "username", Value: "astaxie", Expires: expiration}
http.SetCookie(w, &cookie)
  
```  
## Fetch cookies in Go
The above example shows how to set a cookie. Now let's see how to get a cookie that has been set:
```Go
cookie, _ := r.Cookie("username")
fmt.Fprint(w, cookie)
```
Here is another way to get a cookie:
```Go
for _, cookie := range r.Cookies() {
fmt.Fprint(w, cookie.Name)
}
```
As you can see, it's very convenient to get cookies from requests.
## Sessions

44
en/06.2.md
View File

@@ -34,7 +34,7 @@ Next, we'll examine a complete example of a Go session manager and the rationale
### Session manager
Define a global session manager:
```Go
type Manager struct {
cookieName string //private cookiename
lock sync.Mutex // protects session
@@ -49,40 +49,40 @@ Define a global session manager:
}
return &Manager{provider: provider, cookieName: cookieName, maxlifetime: maxlifetime}, nil
}
```
Create a global session manager in the `main()` function:
```Go
var globalSessions *session.Manager
// Then, initialize the session manager
func init() {
globalSessions = NewManager("memory","gosessionid",3600)
}
```
We know that we can save sessions in many ways including in memory, the file system or directly into the database. We need to define a `Provider` interface in order to represent the underlying structure of our session manager:
```Go
type Provider interface {
SessionInit(sid string) (Session, error)
SessionRead(sid string) (Session, error)
SessionDestroy(sid string) error
SessionGC(maxLifeTime int64)
}
```
- `SessionInit` implements the initialization of a session, and returns a new session if it succeeds.
- `SessionRead` returns a session represented by the corresponding sid. Creates a new session and returns it if it does not already exist.
- `SessionDestroy` given an sid, deletes the corresponding session.
- `SessionGC` deletes expired session variables according to `maxLifeTime`.
So what methods should our session interface have? If you have any experience in web development, you should know that there are only four operations for sessions: set value, get value, delete value and get current session id. So, our session interface should have four methods to perform these operations.
```Go
type Session interface {
Set(key, value interface{}) error //set session value
Get(key interface{}) interface{} //get session value
Delete(key interface{}) error //delete session value
SessionID() string //back current sessionID
}
```
This design takes its roots from the `database/sql/driver`, which defines the interface first, then registers specific structures when we want to use it. The following code is the internal implementation of a session register function.
```Go
var provides = make(map[string]Provider)
// Register makes a session provider available by the provided name.
@@ -97,11 +97,11 @@ This design takes its roots from the `database/sql/driver`, which defines the in
}
provides[name] = provider
}
```
### Unique session id's
Session id's are for identifying users of web applications, so they must be unique. The following code shows how to achieve this goal:
```Go
func (manager *Manager) sessionId() string {
b := make([]byte, 32)
if _, err := io.ReadFull(rand.Reader, b); err != nil {
@@ -109,11 +109,11 @@ Session id's are for identifying users of web applications, so they must be uniq
}
return base64.URLEncoding.EncodeToString(b)
}
```
### Creating a session
We need to allocate or get an existing session in order to validate user operations. The `SessionStart` function is for checking the existence of any sessions related to the current user, and creating a new session if none is found.
```Go
func (manager *Manager) SessionStart(w http.ResponseWriter, r *http.Request) (session Session) {
manager.lock.Lock()
defer manager.lock.Unlock()
@@ -129,9 +129,9 @@ We need to allocate or get an existing session in order to validate user operati
}
return
}
```
Here is an example that uses sessions for a login operation.
```Go
func login(w http.ResponseWriter, r *http.Request) {
sess := globalSessions.SessionStart(w, r)
r.ParseForm()
@@ -144,13 +144,13 @@ Here is an example that uses sessions for a login operation.
http.Redirect(w, r, "/", 302)
}
}
```
### Operation value: set, get and delete
The `SessionStart` function returns a variable that implements a session interface. How do we use it?
You saw `session.Get("uid")` in the above example for a basic operation. Now let's examine a more detailed example.
```Go
func count(w http.ResponseWriter, r *http.Request) {
sess := globalSessions.SessionStart(w, r)
createtime := sess.Get("createtime")
@@ -170,7 +170,7 @@ You saw `session.Get("uid")` in the above example for a basic operation. Now let
w.Header().Set("Content-Type", "text/html")
t.Execute(w, sess.Get("countnum"))
}
```
As you can see, operating on sessions simply involves using the key/value pattern in the Set, Get and Delete operations.
Because sessions have the concept of an expiry time, we define the GC to update the session's latest modify time. This way, the GC will not delete sessions that have expired but are still being used.
@@ -178,7 +178,7 @@ Because sessions have the concept of an expiry time, we define the GC to update
### Reset sessions
We know that web applications have a logout operation. When users logout, we need to delete the corresponding session. We've already used the reset operation in above example -now let's take a look at the function body.
```Go
// Destroy sessionid
func (manager *Manager) SessionDestroy(w http.ResponseWriter, r *http.Request){
cookie, err := r.Cookie(manager.cookieName)
@@ -193,11 +193,11 @@ We know that web applications have a logout operation. When users logout, we nee
http.SetCookie(w, &cookie)
}
}
```
### Delete sessions
Let's see how to let the session manager delete a session. We need to start the GC in the `main()` function:
```Go
func init() {
go globalSessions.GC()
}
@@ -208,7 +208,7 @@ Let's see how to let the session manager delete a session. We need to start the
manager.provider.SessionGC(manager.maxlifetime)
time.AfterFunc(time.Duration(manager.maxlifetime), func() { manager.GC() })
}
```
We see that the GC makes full use of the timer function in the `time` package. It automatically calls GC when the session times out, ensuring that all sessions are usable during `maxLifeTime`. A similar solution can be used to count online users.
## Summary

12
en/06.3.md
View File

@@ -1,7 +1,7 @@
# 6.3 Session storage
We introduced a simple session manager's working principles in the previous section, and among other things, we defined a session storage interface. In this section, I'm going to show you an example of a memory based session storage engine that implements this interface. You can tailor this to other forms of session storage as well.
```Go
package memory
import (
@@ -114,16 +114,16 @@ We introduced a simple session manager's working principles in the previous sect
session.Register("memory", pder)
}
```
The above example implements a memory based session storage mechanism. It uses its `init()` function to register this storage engine to the session manager. So how do we register this engine from our main program?
```Go
import (
"github.com/astaxie/session"
_ "github.com/astaxie/session/providers/memory"
)
```
We use the blank import mechanism (which will invoke the package's `init()` function automatically) to register this engine to a session manager. We then use the following code to initialize the session manager:
```Go
var globalSessions *session.Manager
// initialize in init() function
@@ -131,7 +131,7 @@ We use the blank import mechanism (which will invoke the package's `init()` func
globalSessions, _ = session.NewManager("memory", "gosessionid", 3600)
go globalSessions.GC()
}
```
## Links
- [Directory](preface.md)

12
en/06.4.md
View File

@@ -7,7 +7,7 @@ In this section, we are going to show you how to hijack a session for educationa
## The session hijacking process
The following code is a counter for the `count` variable:
```Go
func count(w http.ResponseWriter, r *http.Request) {
sess := globalSessions.SessionStart(w, r)
ct := sess.Get("countnum")
@@ -20,7 +20,7 @@ The following code is a counter for the `count` variable:
w.Header().Set("Content-Type", "text/html")
t.Execute(w, sess.Get("countnum"))
}
```
The content of `count.gtpl` is as follows:
Hi. Now count:{{.}}
@@ -60,7 +60,7 @@ Through this simple example of hijacking a session, you can see that it's very d
The first step is to only set session id's in cookies, instead of in URL rewrites. Also, we should set the httponly cookie property to true. This restricts client-side scripts from gaining access to the session id. Using these techniques, cookies cannot be accessed by XSS and it won't be as easy as we demonstrated to get a session id from a cookie manager.
The second step is to add a token to every request. Similar to the manner in which we dealt with repeating form submissions in previous sections, we add a hidden field that contains a token. When a request is sent to the server, we can verify this token to prove that the request is unique.
```Go
h := md5.New()
salt:="astaxie%^7&8888"
io.WriteString(h,salt+time.Now().String())
@@ -69,11 +69,11 @@ The second step is to add a token to every request. Similar to the manner in whi
// ask to log in
}
sess.Set("token",token)
```
### Session id timeout
Another solution is to add a create time for every session, and to replace expired session id's with new ones. This can prevent session hijacking under certain circumstances such as when the hijack is attempted too late.
```Go
createtime := sess.Get("createtime")
if createtime == nil {
sess.Set("createtime", time.Now().Unix())
@@ -81,7 +81,7 @@ Another solution is to add a create time for every session, and to replace expir
globalSessions.SessionDestroy(w, r)
sess = globalSessions.SessionStart(w, r)
}
```
We set a value to save the create time and check if it's expired (I set 60 seconds here). This step can often thwart session hijacking attempts.
By combining the two solutions set out above you will be able to prevent most session hijacking attempts from succeeding. On the one hand, session id's that are frequently reset will result in an attacker always getting expired and useless session id's; on the other hand, by setting the httponly property on cookies and ensuring that session id's can only be passed via cookies, all URL based attacks are mitigated. Finally, we set `MaxAge=0` on our cookies, which means that the session id's will not be saved in the browser history.