This question gets a ton of views–and has a Popular Question badge–so I know there is a lot of latent interest in this topic, and many people are asking exactly the same thing and not finding answers on the Interwebs.
Most of the available information results in the textual equivalent of the hand wavy thing, left as an “exercise for the reader.”
However I’ve finally located one concrete example, (generously) provided by a member of the golang-nuts mailing list:
This provides a suggested schema and server-side implementation as a basis for custom authentication. The client-side code is still up to you.
(I hope the author of the post sees this: Thanks!)
Excerpted (and reformatted):
"I would suggest something like the following design:
create table User (
ID int primary key identity(1,1),
create table UserSession (
SessionKey text primary key,
UserID int not null, -- Could have a hard "references User"
LoginTime <time type> not null,
LastSeenTime <time type> not null
- When a user logs in to your site via a POST under TLS, determine if the password is valid.
- Then issue a random session key, say 50 or more crypto rand characters and stuff in a secure Cookie.
- Add that session key to the UserSession table.
- Then when you see that user again, first hit the UserSession table to see if the SessionKey is in there with a valid LoginTime and LastSeenTime and User is not deleted. You could design it so a timer automatically clears out old rows in UserSession."