I use a GO server (golang.org), which does have good support for encryption and third party package which provides basic cookie based session handling. I am looking for guidelines on generating tokens, and good practice to store, invalidate etc. My application need custom user management. Can one use Oauth in an offline setting, or any better way?
Generally, session cookies should be:
- opaque. You should not be passing any information hidden in the cookie. It is merely an identifier.
- unguessable. You wouldn't want people to be able to guess other people's session tokens and hijack them.
- collisions resistant. If you have thousands of users on your site all at the same time, you need reasonably large tokens so two users don't end up with the same token.
- stored safely. Save your session information somewhere web browsers (and other public users) have no access to them. Usually this means saving them on disk outside of the server's document tree, or putting them into a database.
- deleted close to expiration. You don't want to keep session data forever. Once in a while, you need to go through the session data and delete everything that has expired.
I'm not sure where OAuth comes into this, since that is an authentication system and you're asking about session management. (Although I realize the two can be related.)