Package gorilla/sessions provides cookie and filesystem sessions and infrastructure for custom session backends.
A minor maintenance release that improves documentation and two new third-party store implementations.
This release removes gorilla/context as a dependency. sessions now requires Go 1.7 or greater (released August, 2016), which provides a first-class request context for sessions and reduces user-facing complexity.
gorilla/sessions now supports the SameSite
cookie attribute added in Go 1.11.
Cookies with this set (in Strict mode, preferably) are only sent on requests originating from the same origin at as the cookie domain, rather than for all requests to that domain no matter the origin.
You can set SameSite
on a session by setting session.Options.SameSite
to a valid value:
func MyHandler(w http.ResponseWriter, r *http.Request) {
session, err := store.Get(r, "session-name")
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
// Set the SameSite mode via one of the typed constants described
// at https://golang.org/pkg/net/http/#SameSite
session.Options = &sessions.Options{SameSite: http.SameSiteStrictMode}
if err := session.Save(r, w); err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
}
You can read more about the SameSite attribute on Mozilla's blog, or inthe RFC itself.
Versioning v1.1.1 to correctly comply with SemVer.
CHANGELOG 03b6f63 Add AUTHORS file; update LICENSE (#158) 9ee0d62 [build] Update deps to correct SemVer tags (#153) a2f2a3d replacing travis badge with scaling svg (#147) 92b749d Add link to XORM store implementation (#149) 7910f5b Added description about Max-Age field in Options (#148) 7087b4d Add go.mod file for vgo dependency management. (#145) 6ba88b7 Prevent panic in NewSession function (#140) 41ee504 Add link to memstore implementation (#143) fe21b6a Update doc.go (#127) a3acf13 Add missing error check (#123)
*http.Request
s and Go 1.7's new http.Request.WithContext()
. The shallow copy of the request changes the address, causing gorilla/context's map to point to the old request.