- Go: Building Web Applications
- Table of Contents
- Go: Building Web Applications
- Go: Building Web Applications
- Credits
- Preface
- 1. Module 1
- 2. Module 2
- 1. Chat Application with Web Sockets
- 2. Adding Authentication
- 3. Three Ways to Implement Profile Pictures
- 4. Command-line Tools to Find Domain Names
- 5. Building Distributed Systems and Working with Flexible Data
- 6. Exposing Data and Functionality through a RESTful Data Web Service API
- 7. Random Recommendations Web Service
- 8. Filesystem Backup
- 3. Module 3
- 1. An Introduction to Concurrency in Go
- 2. Understanding the Concurrency Model
- 3. Developing a Concurrent Strategy
- 4. Data Integrity in an Application
- 5. Locks, Blocks, and Better Channels
- 6. C10K – A Non-blocking Web Server in Go
- 7. Performance and Scalability
- 8. Concurrent Application Architecture
- Designing our concurrent application
- Identifying our requirements
- Using NoSQL as a data store in Go
- Monitoring filesystem changes
- Managing logfiles
- Handling configuration files
- Detecting file changes
- Backing up our files
- Designing our web interface
- Reverting a file's history – command line
- Checking the health of our server
- Summary
- 9. Logging and Testing Concurrency in Go
- 10. Advanced Concurrency and Best Practices
- Going beyond the basics with channels
- Building workers
- Implementing nil channel blocks
- Implementing more granular control over goroutines with tomb
- Timing out with channels
- Building a load balancer with concurrent patterns
- Choosing unidirectional and bidirectional channels
- Using an indeterminate channel type
- Using Go with unit testing
- Using Google App Engine
- Utilizing best practices
- Summary
- A. Bibliography
- Index
One of the attack vectors we looked at earlier was session hijacking, which we discussed in the context of HTTP versus HTTPS and the way others can see the types of information that are critical to identity on a website.
Finding this data is incredibly simple on public networks for a lot of non-HTTPS applications that utilize sessions as definitive IDs. In fact, some large applications have allowed session IDs to be passed in URLs
In our application, we've used Gorilla's securecookie package, which does not rely on HTTPS because the cookie values themselves are encoded and validated using HMAC hashing.
Producing the key itself can be very simple, as demonstrated in our application and the securecookie documentation:
var hashKey = []byte("secret hash key")
var blockKey = []byte("secret-er block key")
var secureKey = securecookie.New(hashKey, blockKey)Note
For more info on Gorilla's securecookie package see: http://www.gorillatoolkit.org/pkg/securecookie
Presently, our app's server has HTTPS first and secure cookies, which means that we likely feel a little more confident about storing and identifying data in the cookie itself. Most of our create/update/delete operations are happening at the API level, which still implements session checking to ensure our users are authenticated.
-
No Comment