In the last chapter, we conquered database transactions. We extended our hipstr application to use them, and it worked, and it was good. If you've been paying attention (and I'm sure you have because it's Chapter 10 and we're almost done), you'll have noticed that we've yet to actually authenticate our user, create a session, or write any cookies. Well, I've got news for you: In this chapter, we're going to do all three of those things! That is, we're going to cover the following topics in this chapter:
- Learn about sessions and how they're maintained in Luminus and Noir
- Build a form to authenticate our user
- Create a cookie that remembers the username for the next time a user wants to login
We'll start off with a bit of how these things are accomplished in Luminus (and the underlying lib-noir library), and then extend our hipstr application to embrace these missing components.
HTTP, the foundation of the web as we know it, is stateless. This means that every request is independent of any previous request. In the world of HTTP, each request has a matching response. We see independent requests everywhere in HTTP; requesting a static resource, a web page, or an AJAX request are all examples of the stateless protocol in action.
That being said, we still require the ability to track users across requests. Without some type of unique tracking of the person or system sending the request, we wouldn't be able to have authenticated-only pages, partition user data, or a zillion other things. Sessions allow us to track information about the sender between each request.
In our hipstr app, this is tied together by a cookie called, ring-session. You can view the cookie by navigating to the hipstr app on your machine (http://localhost:3000, by default). You can then open the development tools in your browser and, typically, view the resources for the page. Typically, there's a Cookies section in there, and you can view which cookies for the current site exist in your browser. In Safari, you'll see the following screenshot:
Likewise, in Chrome, you'll see something like the following screenshot:
In Internet Explorer…well, honestly, I've not used it in almost a decade. But I think you can hit Ctrl + F12 and do an Irish jig or something, and it'll tell you what you need to know.
The ring-session cookie is written out on the first request and lasts for the lifetime of the browser. The writing of the cookie is handled for us automatically – in fact, all of the session setup and management is handled for us automatically. In Chapter 2, Ring and the Ring Server, we talked about the Luminus-generated hipstr.handler namespace, in which there is a call to app-handler that is used to package up the hipstr application handler. On the surface, the app-handler seems like a fairly simple thing. Behind the scenes, however, it's tying together a lot of different middlewares (both lib-noir and Ring middlewares) and functionality, including session and cookie management.
Note
For the curious: The ring-defaults library, way deep under the hood, has quite the middleware. You can take a peak at it here: https://github.com/ring-clojure/ring-defaults/blob/master/src/ring/middleware/defaults.clj