What if, instead of storing user information on the client side in a JWT token, you used a token containing a randomized key that holds client information on the server side? This session ID would be valid only for a specified duration and would expire immediately after use. This approach enhances security and minimizes the risk of unauthorized access.
This was intended to be used for web app authentication with HTTP cookies, but other applications may find it useful as well.
Need authentication? ───────────────────────────────┐
├── Yes │
│ └── Is the user key valid? │
│ ├── Yes │
│ │ └── Generate new one/Invalidate old one │
│ │ └── Continue execution normally ────┘
│ └── No
│ └── Authentication error
└── No
└── Well, ok then.go get -u github.com/ed-henrique/sukpackage main
import (
"github.com/ed-henrique/suk"
)
func main() {
resource := "important stuff here!"
// Creates new session storage
ss, _ := suk.New(suk.WithAutoClearExpiredKeys())
// Removes session storage
defer suk.Destroy(ss)
// Sets resource to a randomly generated key
key, _ := ss.Set(resource)
// Gets the resource, invalidating the previous key
resource, newKey, _ := ss.Get(key)
// Removes both the key and the resource
ss.Remove(newKey)
}Please refer to this.
- Multiple cookies can connect to a single session, but they are not aware of each other
- If all cookies to a session are used up, the reference to the session is lost
- Extensive testing
- Make implementation concurrent-safe
- Use better algorithm for random and strong keys (refer to this)