1. 2
  1.  

  2. 1

    Good article. I think recommending the use of encoding/gob for serializing structs is misguided though, json would be a much better and portable choice.

    1. 1

      It depends. It definitely locks you into using Go. But it keeps you within the 4KB limit more easily. I wouldn’t use it on a serious project, but I’ve done it before on a throwaway where I just needed to store a user session cookie easily.

      1. 1

        You can use gobs in other languages. Less supported, yes, but you write some tests around it and you can be robust enough for client side work.

      2. 1

        Please use something like secretbox for encryption instead of building your own: https://pkg.go.dev/golang.org/x/crypto/nacl/secretbox

        Also, while storing all state in the cookie, instead of in a database, is a nice trick, it’s hard to invalidate the cookies. Same problem with JWT in cookies. Unless you have a huge amount traffic, just put the sessions in postgres or redis and just store the session id in the cookie.

        1. 1

          For secretbox, the nonce should go in a database, no? So, it wouldn’t really work as a client session cookie. I guess you could sign the nonce and store it in a second cookie?