Cookie中的OAuth2授权代码，好还是不好？

I can not seem to find a SIMPLE answer to the question on how to persist OAuth2 authentication... Let's take Google+ OAuth2 API as an example.

1. User goes to page
2. User is not authenticated, and gets redirected to authentication page where he logs in
3. User logs in successfully and authorises my app
4. User gets redirect to specified (by me) URI with Authorisation Code
5. I use authorisation code to obtain a token in order to submit queries in the name of the user

All is good and well. My question is: how do you SECURELY know at step 2 that the user visiting the page is already logged in, without having to go through the whole process of redirecting him to all these pages.

I assume storing the Authorisation Code retrieved at step 4 in a cookie is not an option.

All of this will happen in a server-side (Go - if that matters) application. Any help is much appreciated... I need a simple solution.

Thank you!

use server-side sessions to store any authentication state or even access tokens if you need them.

one solution is to use a database for session store (an encrypted cookie holds the session id) and another is to use cookie sessions (encrypted cookies that hold the session data). using encrypted cookies that only the server is able to decrypt should be safe enough.