"github.com/go-macaron/csrf"
"github.com/go-macaron/session"
m.Use(macaron.Renderer())
m.Use(session.Sessioner())
// Simulate the authentication of a session.
// If uid exists redirect to a form that requires CSRF protection.
m.Get("/", func(ctx *macaron.Context, sess session.Store) {
if sess.Get("uid") == nil {
ctx.Redirect("/protected")
// Set uid for the session.
m.Get("/login", func(ctx *macaron.Context, sess session.Store) {
// Render a protected form. Passing a csrf token by calling x.GetToken()
m.Get("/protected", func(ctx *macaron.Context, sess session.Store, x csrf.CSRF) {
if sess.Get("uid") == nil {
ctx.Redirect("/login", 401)
// Pass token to the protected template.
ctx.Data["csrf_token"] = x.GetToken()
ctx.HTML(200, "protected")
// Apply CSRF validation to route.
m.Post("/protected", csrf.Validate, func(ctx *macaron.Context, sess session.Store) {
if sess.Get("uid") != nil {
ctx.RenderData(200, []byte("You submitted a valid token"))
ctx.Redirect("/login", 401)