edited title

Link

edited Oct 21, 2018 at 3:26

Jamal

35.2k
13
134
238

Is this minimal Go cookie authentication system safe?

Bumped by Community user

occurred Oct 20, 2018 at 15:00

Bumped by Community user

occurred Sep 20, 2018 at 14:01

Bumped by Community user

occurred Aug 21, 2018 at 13:01

Bumped by Community user

occurred Jul 22, 2018 at 12:21

edited tags

Link

edited May 27, 2016 at 17:34

200_success

145.6k
22
191
481

Tweeted twitter.com/#!/StackCodeReview/status/551461696439865344

occurred Jan 3, 2015 at 19:34

Fixed randString returning empty string.

Source Link

edited Dec 22, 2014 at 5:18

425nesp

183
4

func tryLogin(username, password string) (http.Cookie, error) {
    if exists := db.UserExists(username, password); !exists {
        return http.Cookie{},
            errors.New("The username or password you entered isn't correct.")
    }

    sid, err := randString(32)
    if err != nil {
         return http.Cookie{}, err
    }

    sessions[sid] = true

    loginCookie := http.Cookie{
        Name:     "id",
        Value:    sid,
        MaxAge:   int((time.Hour * 12).Seconds()),
        HttpOnly: true,
        Domain:   "mydomain.com",
        Path:     "/admin/",
    }

    return loginCookie, nil
}

func randString(size int) (string, error) {
    buf := make([]byte, size)

    if _, err := rand.Read(buf); err != nil {
        log.Println(err)
        return "", errors.New("Couldn't generate random string")
    }

    return base64.URLEncoding.EncodeToString(buf)[:size], nil
}

func tryLogin(username, password string) (http.Cookie, error) {
    if exists := db.UserExists(username, password); !exists {
        return http.Cookie{},
            errors.New("The username or password you entered isn't correct.")
    }

    sid := randString(32)
    sessions[sid] = true

    loginCookie := http.Cookie{
        Name:     "id",
        Value:    sid,
        MaxAge:   int((time.Hour * 12).Seconds()),
        HttpOnly: true,
        Domain:   "mydomain.com",
        Path:     "/admin/",
    }

    return loginCookie, nil
}

func randString(size int) string {
    buf := make([]byte, size)

    if _, err := rand.Read(buf); err != nil {
        log.Println(err)
        return ""
    }

    return base64.URLEncoding.EncodeToString(buf)[:size]
}

func tryLogin(username, password string) (http.Cookie, error) {
    if exists := db.UserExists(username, password); !exists {
        return http.Cookie{},
            errors.New("The username or password you entered isn't correct.")
    }

    sid, err := randString(32)
    if err != nil {
         return http.Cookie{}, err
    }

    sessions[sid] = true

    loginCookie := http.Cookie{
        Name:     "id",
        Value:    sid,
        MaxAge:   int((time.Hour * 12).Seconds()),
        HttpOnly: true,
        Domain:   "mydomain.com",
        Path:     "/admin/",
    }

    return loginCookie, nil
}

func randString(size int) (string, error) {
    buf := make([]byte, size)

    if _, err := rand.Read(buf); err != nil {
        log.Println(err)
        return "", errors.New("Couldn't generate random string")
    }

    return base64.URLEncoding.EncodeToString(buf)[:size], nil
}

Source Link

asked Dec 22, 2014 at 4:36

425nesp

183
4

Loading

Stack Exchange Network

Return to Question

Is this minimal Go cookie authentication system safe?