I'm working with go-macaron and we are define a REST API but it is completely open to the wold I can not block any HTTP request from anywhere.

I would like let request enter only if valid cookie and only valid cookie if a POST is done in "/ogin" URL with valid {"username": "XXXX" , "password" , "YYYY" } data.

There is anywhere with a simple example on how can we do this?

I can not find any simple example.

Thank you very much

memory provider works fine, but if I use mysql - it basically seems to be a no-op with no queries executed. The session is changed in memory, but doesn't write to the database.

Currently using Set('key', '') and Destory(ctx) to perform these operations, but doesn't seem to be the right way.

I saw var _ Store = &store{} in session.go, but I don't understand what's the meaning of this declare of anonymous usage ?

I think macaron supporting modules such as session and csfr should refer back to the main package "macaron" as:

github.com/go-macaron/macaron

Instead of:

gopkg.in/macaron.v1

I propose this as there could be problems in depending on a centralized resource, other than github, to resolve macaron's dependencies. There have been some reports lately in twitter about issues happening around gopkg.in:

https://twitter.com/webRat/status/735940872907464704

https://twitter.com/DanielMorsing/status/735959541578358785?lang=es

https://twitter.com/rw_grim/status/748577274069323776

Moreover, this makes sharing a project with other team members more cumbersome, as they will have to install external dependencies in their own workspaces to have it compiled.

Since the standardization of the vendor directory in go 1.6, we have been managing our dependencies in this folder through git submodules and we haven't had any issues in doing that. The great benefit is that we can attach any explicit dependency revision (commit) to our projects and we no longer need any external tools to integrate third party packages in them.

We've been loving macaron and really appreciate how much hassle it removes from our shoulders. Thanks a lot for it! We think that this little fix could make the framework much more stable and thus, encourage greatly its adoption.

Note: I will add this issue too in the macaron main repository.

It's hard to destroy a non-current user's session...

Hello,
When I start the web server using macaron, if the session store is empty, there is no problem in setting structs to user;
Here's the model;

type User struct {
    Model
    Name     string `json:"name,omitempty"`
    Email    string `json:"email,omitempty"`
    Password string `json:"password,omitempty"`
    Birthday string `json:"birthday,omitempty"`
    Domain   Domain `json:"domain,omitempty"`
}

When I first run sess.Set("user", user) it saves with no errors. However, If I close the web server and open again sess.Set() it shows the following error;

http: panic serving [::1]:61196: session(start): gob: name not registered for interface:

It seems like I need to register some kind of struct metadata to gob.
This issue is present whether I use folder session store or mysql.

Are there any solutions to that?

We need:

• A config option to switch on/off, default to be "on".
• Set the HttpOnly cookie attribute when calling SetCookie.

文档中
Interval: 3600, // GC interval for memory adapter.

实际是下面这个???
Gclifetime: 3600,

eg:

var Sess = session.NewMemStore("memsessionId")

func Hander(){
err := Sess.Set("Name", "1111")
if err != nil {
    return
}

err2 := Sess.Set("Name", "222")
if err2 != nil {
    return
}
sessList := Sess.Get("Name")
fmt.Println("session的状态", sessList)
}

打印的结果是：

session的状态 222

eg2:

function Hander(){
err := Sess.Set("Name", "1111")
if err != nil {
    return
}
sessList := Sess.Get("Name")
fmt.Println("session的状态", sessList)
}

打印的结果是：

session的状态 1111

http://www.yougam.com/ 用了下面这句简单的获取当前激活的session来作为统计在线人数的代码

        self.Data["usersonline"] = sess.GetActiveSession()

但常发现在线人数可以飙升到几百上千,3千5千都见识过..但事实的真相是肯定不存在这么多人在线的..

Related to our recent discussion at gogs/gogs#3363 can we change the default permissions to be much more restrictive? os.ModePerm is 0777 which is world writeable, world readable, and world executable. I wouldn't mind contributing a patch for this if you're open to this change.

Can we change this to 0600 for files (read/write for the owner only) and 0700 for directories (read/write/execute for the owner only)?

https://tools.ietf.org/html/draft-west-first-party-cookies-07

There is no synchronization between the FileProvider and the FileStore when the Release() call writes data to the file. As a result reads and writes to the same file can happen at the same time. This is bad and can lead to the file being read after the write call has truncated the file but before the data is written.

"MacaronSession": M字头大写会帅点~

Hi,

I'm already using postgres for my data and now want to use the same driver for my sessions. Unfortunately I cannot just import "github.com/go-macaron/session/postgres" as I already have "github.com/mattes/migrate/driver/postgres" somewhere else in my code. If I use both import statements I get the expected error

panic: sql: Register called twice for driver postgres

If I don't import the macaron/session driver I get

panic: session: unknown provider 'postgres'(forgotten import?)

What's the correct way to solve that situation?

Actually it would be good, if the cache/session implementation would support redis sentinel.

I guess supporting it is extremly simple. it actually just needs a configuration.
basically the redis client already supports it: https://godoc.org/gopkg.in/redis.v2#example-NewFailoverClient

this will actually try to query the master and is more useful than just redis by itself

TLDR: also provide a way to use NewFailoverClient, which means that clients will "search" the master via sentinel

Cache Issue: go-macaron/cache#11

With a simple application like this:

import (
	"github.com/go-macaron/session"
	"gopkg.in/macaron.v1"
)

func main() {
	m := macaron.New()
	m.Use(session.Sessioner())
	m.Get("/", func(ctx *macaron.Context) string {
		return "home"
	})
	m.Run()
}

I get Value not found for type *macaron.Context. Removing m.Use(session.Sessioner()) line fixes the problem.

Destory isn't a word, but I imagine this will break backwards compatibility?

https://github.com/go-macaron/session/blob/master/session.go#L57