Where is the session persisted? Is there a way to use cookie as a session storage even with its limits

[frederikhors]

Issue opened for the creation of a wiki page that summarizes the doubts and problems for newbies (#210).

• Where is the session persisted?
• Is there a way to use cookie as a session storage even with its limits (4KB)?

I come from Rails. In Rails there is https://guides.rubyonrails.org/security.html#encrypted-session-storage mechanism.

Am I wrong about this?

[aarondl]

Session is persisted however you decide it is. The authboss-sample uses the package: https://github.com/volatiletech/authboss-clientstate which implements authboss.ClientStateReadWriter for sessions and cookies. It does this by using the gorilla packages (http://www.gorillatoolkit.org/pkg/). The cookies in the authboss-sample are encrypted before being sent to the client and authenticated on return so they are tamper proof, very secure (except the secret key is public in that repository which makes it very insecure, your own application should not share the secret key just like you don't in rails).

Authboss stores fairly little in the session so using cookies on the client side is fine for this (as long as they're secured properly as noted above). In your application if you're going to be using more session stuff you may want to implement your own authboss.ClientStateReadWriter using redis or files or whatever as a backing store. Gorilla supports file backed stores and the authboss-clientstate repo can take an existing gorilla store so these two libraries can be used to get file storage sessions very easily.