GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → gorilla → Securecookie

gorilla / Securecookie

Licence: bsd-3-clause
Package gorilla/securecookie encodes and decodes authenticated and optionally encrypted cookie values for Go web applications.

Programming Languages

go
31211 projects - #10 most used programming language

Labels

cookie

Projects that are alternatives of or similar to Securecookie

typo3-dp cookieconsent
TYPO3 Extension: Enable a cookie consent box. Let you visitors control the usage of cookies and load script or content after a consent. (ePrivacy, TTDSG)
Stars: ✭ 28 (-94.48%)
Mutual labels:  cookie
Cookies Eu Banner
1kb vanilla JS script which manages cookies consent banner display like asked by GDPR
Stars: ✭ 326 (-35.7%)
Mutual labels:  cookie
Secureheaders
A PHP library aiming to make the use of browser security features more accessible.
Stars: ✭ 364 (-28.21%)
Mutual labels:  cookie
Flask Session Cookie Manager
🍪 Flask Session Cookie Decoder/Encoder
Stars: ✭ 257 (-49.31%)
Mutual labels:  cookie
Xhttp2
💪A powerful network request library, encapsulated using the RxJava2 + Retrofit2 + OKHttp combination.(一个功能强悍的网络请求库,使用RxJava2 + Retrofit2 + OKHttp组合进行封装)
Stars: ✭ 292 (-42.41%)
Mutual labels:  cookie
Vue Cookie Law
🍪 👮 Hackable EU Cookie Law Plugin for Vue.js
Stars: ✭ 333 (-34.32%)
Mutual labels:  cookie
gdpr-cookie
Php Cookie checker for Analytics and Tawk.To (GDPR Compliance)
Stars: ✭ 21 (-95.86%)
Mutual labels:  cookie
Kkjsbridge
一站式解决 WKWebView 支持离线包,Ajax/Fetch 请求,表单请求和 Cookie 同步的问题 (基于 Ajax Hook,Fetch Hook 和 Cookie Hook)
Stars: ✭ 462 (-8.88%)
Mutual labels:  cookie
Vue Cookies
A simple Vue.js plugin for handling browser cookies
Stars: ✭ 293 (-42.21%)
Mutual labels:  cookie
Ngx Cookie Service
Angular (4.2+ ...11) service for cookies. Originally based on the `ng2-cookies` library.
Stars: ✭ 363 (-28.4%)
Mutual labels:  cookie
Ngx Cookie
Implementation of Angular 1.x $cookies service to Angular 2
Stars: ✭ 265 (-47.73%)
Mutual labels:  cookie
Angular Local Storage
An AngularJS module that gives you access to the browsers local storage with cookie fallback
Stars: ✭ 2,862 (+464.5%)
Mutual labels:  cookie
Zhihu Login
知乎模拟登录,支持提取验证码和保存 Cookies
Stars: ✭ 340 (-32.94%)
Mutual labels:  cookie
Cookies.js
Simple cookie framework with full Unicode support
Stars: ✭ 254 (-49.9%)
Mutual labels:  cookie
Cookie Universal
Universal cookie plugin, perfect for SSR
Stars: ✭ 376 (-25.84%)
Mutual labels:  cookie
vue-cookie-next
A vue 3 plugin for handling browser cookies with typescript support. Load and save cookies within your Vue 3 application
Stars: ✭ 37 (-92.7%)
Mutual labels:  cookie
Js Cookie
A simple, lightweight JavaScript API for handling browser cookies
Stars: ✭ 18,861 (+3620.12%)
Mutual labels:  cookie
Cookiebar
CookieBar is a lightweight library for showing a brief message at the top or bottom of the screen.
Stars: ✭ 497 (-1.97%)
Mutual labels:  cookie
Bilibilidown
(GUI-多平台支持) B站 哔哩哔哩 视频下载器。支持稍后再看、收藏夹、UP主视频批量下载|Bilibili Video Downloader 😳仅供交流学习使用喔
Stars: ✭ 382 (-24.65%)
Mutual labels:  cookie
Net
Android上强大的网络请求
Stars: ✭ 344 (-32.15%)
Mutual labels:  cookie
View All Similar Projects ➔

securecookie

GoDoc Build Status Sourcegraph

securecookie encodes and decodes authenticated and optionally encrypted cookie values.

Secure cookies can't be forged, because their values are validated using HMAC. When encrypted, the content is also inaccessible to malicious eyes. It is still recommended that sensitive data not be stored in cookies, and that HTTPS be used to prevent cookie replay attacks.

Examples

To use it, first create a new SecureCookie instance:

// Hash keys should be at least 32 bytes long
var hashKey = []byte("very-secret")
// Block keys should be 16 bytes (AES-128) or 32 bytes (AES-256) long.
// Shorter keys may weaken the encryption used.
var blockKey = []byte("a-lot-secret")
var s = securecookie.New(hashKey, blockKey)

The hashKey is required, used to authenticate the cookie value using HMAC. It is recommended to use a key with 32 or 64 bytes.

The blockKey is optional, used to encrypt the cookie value -- set it to nil to not use encryption. If set, the length must correspond to the block size of the encryption algorithm. For AES, used by default, valid lengths are 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256.

Strong keys can be created using the convenience function GenerateRandomKey(). Note that keys created using GenerateRandomKey() are not automatically persisted. New keys will be created when the application is restarted, and previously issued cookies will not be able to be decoded.

Once a SecureCookie instance is set, use it to encode a cookie value:

func SetCookieHandler(w http.ResponseWriter, r *http.Request) {
	value := map[string]string{
		"foo": "bar",
	}
	if encoded, err := s.Encode("cookie-name", value); err == nil {
		cookie := &http.Cookie{
			Name:  "cookie-name",
			Value: encoded,
			Path:  "/",
			Secure: true,
			HttpOnly: true,
		}
		http.SetCookie(w, cookie)
	}
}

Later, use the same SecureCookie instance to decode and validate a cookie value:

func ReadCookieHandler(w http.ResponseWriter, r *http.Request) {
	if cookie, err := r.Cookie("cookie-name"); err == nil {
		value := make(map[string]string)
		if err = s2.Decode("cookie-name", cookie.Value, &value); err == nil {
			fmt.Fprintf(w, "The value of foo is %q", value["foo"])
		}
	}
}

We stored a map[string]string, but secure cookies can hold any value that can be encoded using encoding/gob. To store custom types, they must be registered first using gob.Register(). For basic types this is not needed; it works out of the box. An optional JSON encoder that uses encoding/json is available for types compatible with JSON.

Key Rotation

Rotating keys is an important part of any security strategy. The EncodeMulti and DecodeMulti functions allow for multiple keys to be rotated in and out. For example, let's take a system that stores keys in a map:

// keys stored in a map will not be persisted between restarts
// a more persistent storage should be considered for production applications.
var cookies = map[string]*securecookie.SecureCookie{
	"previous": securecookie.New(
		securecookie.GenerateRandomKey(64),
		securecookie.GenerateRandomKey(32),
	),
	"current": securecookie.New(
		securecookie.GenerateRandomKey(64),
		securecookie.GenerateRandomKey(32),
	),
}

Using the current key to encode new cookies:

func SetCookieHandler(w http.ResponseWriter, r *http.Request) {
	value := map[string]string{
		"foo": "bar",
	}
	if encoded, err := securecookie.EncodeMulti("cookie-name", value, cookies["current"]); err == nil {
		cookie := &http.Cookie{
			Name:  "cookie-name",
			Value: encoded,
			Path:  "/",
		}
		http.SetCookie(w, cookie)
	}
}

Later, decode cookies. Check against all valid keys:

func ReadCookieHandler(w http.ResponseWriter, r *http.Request) {
	if cookie, err := r.Cookie("cookie-name"); err == nil {
		value := make(map[string]string)
		err = securecookie.DecodeMulti("cookie-name", cookie.Value, &value, cookies["current"], cookies["previous"])
		if err == nil {
			fmt.Fprintf(w, "The value of foo is %q", value["foo"])
		}
	}
}

Rotate the keys. This strategy allows previously issued cookies to be valid until the next rotation:

func Rotate(newCookie *securecookie.SecureCookie) {
	cookies["previous"] = cookies["current"]
	cookies["current"] = newCookie
}

License

BSD licensed. See the LICENSE file for details.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].