Webapplication log in system

Question

I am using revel to build my webapplication and trying to write authentication module. I finished with sign up part and now heading to write sign in part. I read about security part on The definitive guide to form-based website authentication and will use this recommendation.

What I am really do not know is, how sign in works. I am imaging that the process works like this:

User write username and password into the html form and press sign in
Server receive request and the controller will check, if user information match with data on database.
If yes, how continue.

The third point is where I am staying. But I have some idea how could works and not sure, if is the right way.

So when sign in information match with the database, I would set in session object(hash datatype) key value pair signed_in: true. Everytime when the user make a request to the webapplication, that need to be authenticated, I would look in the session object, if signed_in is true or not.

This is the way I would do, but as I mentioned above, I do not know if it is the right way.

mmm, it [seems](https://github.com/revel/revel/pull/458) auth is not fully fleshed out at revel — RickyA, Sep 30 '14 at 15:29
That's the idea. You probably want to put something identifying the user in the session as well. — twotwotwo, Sep 30 '14 at 17:47

score 0 · Answer 1 · answered Sep 30 '14 at 20:07

Yes like @twotwotwo mentioned, give it the user id and also a role.

So server side rendered flow: Step 1

user sends username (or other identifier) and secret.
using scrypt or bcrypt the secret is checked against the stored salted hash in the database
if it matches you create a struct or a map
serialize struct or map into string (json, msgpack, gob)
encrypt the string with AES https://github.com/gomango/utility/blob/master/crypto.go (for instance). Set a global AES key.
create a unique cookie (or session) identifier (key)
store identifier and raw struct or map in database
send encrypted cookie out (id = encrypted_struct_or_map aka the encrypted string)

On a protected resource (or page): Step 2

read identifier from cookie
check if id exists in db
decode cookie value using AES key
compare values from cookie with stored values
if user.role == "allowed_to_access_this_resource" render page
otherwise http.ResponseWriter.WriteHeader(403) or redirect to login page

Now if you wanted you could also have an application-wide rsa key and before encrypting the cookie value sign the string with the rsa private key (in Step 1). In Step 2 decode with AES key, check if signature valid, then compare content to db stored content.

On any changes you have to update the cookie values (struct/map) and the info in the database.

Webapplication log in system

1 Answers1