Help with Password Authentication


I’m currently making a small application and I’d like to learn how to add authenticate to the application. My best guess is using cookies but I’ve never really figured out authentication within any web application format and I’d like to change that. Right now I’m using Gin for routes, Render for templates, and Gorm for database if that changes the process.

My understanding on how to do this process would be to create a cookie and store it in the database with reference to the user, then when a user logs in check to see if that cookie is valid and matches. As for the middleware to control different views I would validate that cookie and see if it matches with a user.

I’m trying to accomplish basic password authentication along with middleware and have some sort of role system, so admins can have access to certain things a normal user would not.

As of right now I have a simple User struct

type User struct {
	Email     string
	FirstName string
	LastName  string
	Role      string
	Password  string

If anyone could point me in the right direction or help me out a bit I would appreciate it since I don’t want to mess up authentication or do something that may not be secure for my application.


There is much more about user authentication in a Web application than just cookie handling. I am not a Web auth expert (far from it!), but if you don’t mind spending some bucks, I recommend @joncalhoun’s eBook “Web Development with Go” that has two excellent chapters on this topic.

If you don’t want to buy a book, you surely will also find tutorials on this on the Web. The point I am trying to make is that your question might seem a simple one but the answer is complex and would not fit into a forum comment.


I will definitely check the book out, thanks for the resource suggestion it looks like it would be very useful for my learning process. Thanks!

There are two parts of authentication, the client side and server side.

client side = cookies
server side = database

The user sends data in a form, username and password, it is validated with the database and a session ID is created in the backend, this session ID is set as a cookie on the browser of the user.

When you route a restricted URL, you read the “sessionID” from the cookie and if it is valid, then you allow access otherwise, you reject it.

You can read more in my book,

If you want a real life example, read

I would recommend not getting into everything at once, first learn to build a webapp without using any framework and then go to using gin and everything else, you’d be confused otherwise. If you are interested, then you can read my book, it teaches writing webapps without using a framework and has a live webapp which you can learn from!

1 Like

Don’t forget to read up about CSRF attacks and how to prevent them.

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.