
Minimalist Go sessions with a secure cookie Store implementation

MIT License



Package sessions provides minimalist Go sessions, backed by securecookie or database stores.


  • Store provides an interface for managing a user Session
    • May be implemented by custom session database backends
  • Session stores a typed value (via generics)
  • Session provides convenient key/value Set, Get, and GetOk methods
  • NewCookieStore implements a Store backed by client-side cookies (signed and optionally encrypted)


Create a Store for managing Session's. NewCookieStore returns a Store that signs and optionally encrypts cookies to support user sessions.

A Session stores a map of key/value pairs (e.g. "userID": "a1b2c3"). Starting with v0.4.0, sessions uses Go generics to allow specifying a type for stored values. Previously, values were type interface{} or any, which required type assertions.

import (

func NewServer() (http.Handler) {
  // client-side cookies
  store := sessions.NewCookieStore[string](
    // use a 32 byte or 64 byte hash key
    // use a 32 byte (AES-256) encryption key
  server.sessions = store

Issue a session cookie from a handler (e.g. login handler).

func (s server) Login() http.Handler {
  fn := func(w http.ResponseWriter, req *http.Request) {
    // create a session
    session := s.sessions.New("my-app")
    // add user-id to session
    session.Set("user-id", "a1b2c3")
    // save the session to the response
    if err := session.Save(w); err != nil {
      // handle error
  return http.HandlerFunc(fn)

Access the session and its values (e.g. require authentication).

func (s server) RequireLogin() http.Handler {
  fn := func(w http.ResponseWriter, req *http.Request) {
    session, err := s.sessions.Get("my-app")
    if err != nil {
      http.Error(w, "missing session", http.StatusUnauthorized)

    userID, present := session.GetOk("user-id")
    if !present {
      http.Error(w, "missing user-id", http.StatusUnauthorized)

    fmt.Fprintf(w, `<p>Welcome %d!</p>
    <form action="/logout" method="post">
    <input type="submit" value="Logout">
    </form>`, userID)
  return http.HandlerFunc(fn)

Delete a session when a user logs out.

func (s server) Logout() http.Handler {
  fn := func(w http.ResponseWriter, req *http.Request) {
    if req.Method == "POST" {
      s.sessions.Destroy(w, "my-app")
    http.Redirect(w, req, "/", http.StatusFound)
  return http.HandlerFunc(fn)


