(no title)

In order to encrypt the values in the session, rather than just encode you have to do a NewCookieStore([]byte("HMACKey"), []byte("CipherKey")) instead of a NewCookieStore([]byte("HMACKey")). I guess to answer your question, separate keys.

https://gist.github.com/steakejjs/6c17f07c4ca72115bfec

Here's a gist that shows a regular session, created with NewSessionStore([]byte("something-very-secret")) having the value's inside recovered easily.

The strings "foo" and "bar" are pretty easy to spot in the base64 output