cookies - Handling OAuth Responses & Sessions -

at end of oauth2 token exchange, i'm [typically] left json array of user data i've un-marshalled struct (say, googleuser) fields care about.

what sensible way of recording data db? call createuser function callback handler, pass struct , save (the obvious way me), after checking user doesn't exist in db?

i assume should create session token (i.e. session.values["authenticated"] == true) in callback handler, store in cookie (with reasonable expiry date) , check if authenticated == true on handler functions expect logged-in user? or, admin handlers: if admin_user == true. what risks here (if any) presuming i'm talking on https , using secure cookies?

apologies basic questions: trying grip on "best practice" ways log users in w/ oauth.

with regards first question, it's recommended check , insert in single transaction. depends on db you're using, these referred upsert statements. in plsql looks bit (modify taste):

create function upsert_user(emailv character varying, saltv character varying, hashv character varying, date_createdv timestamp without time zone) returns void     language plpgsql $$; begin     loop         -- first try update key         update users set (salt, hash) = (saltv, hashv) email = emailv;         if found             return;         end if;         -- not there, try insert key         -- if else inserts same key concurrently,         -- unique-key failure         begin             insert users(email, salt, hash, date_created) values (emailv, saltv, hashv, date_createdv);             return;         exception when unique_violation             -- nothing, , loop try update again         end;     end loop; end; $$; 

in regards second question, usually secure cookies on https enough. i'd set httponly option, , path option well.

httponly means cookie can't accessed js (only http or https), , path option allows specify path (in url) cookie valid for.