1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
| | # frozen_string_literal: true
# AUTHOR: blink <blinketje@gmail.com>; blink#ruby-lang@irc.freenode.net
# bugrep: Andreas Zehnder
require 'rack'
require 'time'
require 'rack/request'
require 'rack/response'
require 'securerandom'
module Rack
module Session
module Abstract
# SessionHash is responsible to lazily load the session from store.
class SessionHash
using Module.new {
refine Hash do
def transform_keys(&block)
hash = {}
each do |key, value|
hash[block.call(key)] = value
end
hash
end
end
} unless {}.respond_to?(:transform_keys)
def transform_keys(&block)
hash = dup
each do |key, value|
hash[block.call(key)] = value
end
hash
end
include Enumerable
attr_writer :id
Unspecified = Object.new
def self.find(req)
req.get_header RACK_SESSION
end
def self.set(req, session)
req.set_header RACK_SESSION, session
end
def self.set_options(req, options)
req.set_header RACK_SESSION_OPTIONS, options.dup
end
def initialize(store, req)
@store = store
@req = req
@loaded = false
end
def id
return @id if @loaded or instance_variable_defined?(:@id)
@id = @store.send(:extract_session_id, @req)
end
def options
@req.session_options
end
def each(&block)
load_for_read!
@data.each(&block)
end
def [](key)
load_for_read!
@data[key.to_s]
end
def fetch(key, default = Unspecified, &block)
load_for_read!
if default == Unspecified
@data.fetch(key.to_s, &block)
else
@data.fetch(key.to_s, default, &block)
end
end
def has_key?(key)
load_for_read!
@data.has_key?(key.to_s)
end
alias :key? :has_key?
alias :include? :has_key?
def []=(key, value)
load_for_write!
@data[key.to_s] = value
end
alias :store :[]=
def clear
load_for_write!
@data.clear
end
def destroy
clear
@id = @store.send(:delete_session, @req, id, options)
end
def to_hash
load_for_read!
@data.dup
end
def update(hash)
load_for_write!
@data.update(stringify_keys(hash))
end
alias :merge! :update
def replace(hash)
load_for_write!
@data.replace(stringify_keys(hash))
end
def delete(key)
load_for_write!
@data.delete(key.to_s)
end
def inspect
if loaded?
@data.inspect
else
"#<#{self.class}:0x#{self.object_id.to_s(16)} not yet loaded>"
end
end
def exists?
return @exists if instance_variable_defined?(:@exists)
@data = {}
@exists = @store.send(:session_exists?, @req)
end
def loaded?
@loaded
end
def empty?
load_for_read!
@data.empty?
end
def keys
load_for_read!
@data.keys
end
def values
load_for_read!
@data.values
end
private
def load_for_read!
load! if !loaded? && exists?
end
def load_for_write!
load! unless loaded?
end
def load!
@id, session = @store.send(:load_session, @req)
@data = stringify_keys(session)
@loaded = true
end
def stringify_keys(other)
other.transform_keys(&:to_s)
end
end
# ID sets up a basic framework for implementing an id based sessioning
# service. Cookies sent to the client for maintaining sessions will only
# contain an id reference. Only #find_session and #write_session are
# required to be overwritten.
#
# All parameters are optional.
# * :key determines the name of the cookie, by default it is
# 'rack.session'
# * :path, :domain, :expire_after, :secure, and :httponly set the related
# cookie options as by Rack::Response#set_cookie
# * :skip will not a set a cookie in the response nor update the session state
# * :defer will not set a cookie in the response but still update the session
# state if it is used with a backend
# * :renew (implementation dependent) will prompt the generation of a new
# session id, and migration of data to be referenced at the new id. If
# :defer is set, it will be overridden and the cookie will be set.
# * :sidbits sets the number of bits in length that a generated session
# id will be.
#
# These options can be set on a per request basis, at the location of
# <tt>env['rack.session.options']</tt>. Additionally the id of the
# session can be found within the options hash at the key :id. It is
# highly not recommended to change its value.
#
# Is Rack::Utils::Context compatible.
#
# Not included by default; you must require 'rack/session/abstract/id'
# to use.
class Persisted
DEFAULT_OPTIONS = {
key: RACK_SESSION,
path: '/',
domain: nil,
expire_after: nil,
secure: false,
httponly: true,
defer: false,
renew: false,
sidbits: 128,
cookie_only: true,
secure_random: ::SecureRandom
}.freeze
attr_reader :key, :default_options, :sid_secure
def initialize(app, options = {})
@app = app
@default_options = self.class::DEFAULT_OPTIONS.merge(options)
@key = @default_options.delete(:key)
@cookie_only = @default_options.delete(:cookie_only)
initialize_sid
end
def call(env)
context(env)
end
def context(env, app = @app)
req = make_request env
prepare_session(req)
status, headers, body = app.call(req.env)
res = Rack::Response::Raw.new status, headers
commit_session(req, res)
[status, headers, body]
end
private
def make_request(env)
Rack::Request.new env
end
def initialize_sid
@sidbits = @default_options[:sidbits]
@sid_secure = @default_options[:secure_random]
@sid_length = @sidbits / 4
end
# Generate a new session id using Ruby #rand. The size of the
# session id is controlled by the :sidbits option.
# Monkey patch this to use custom methods for session id generation.
def generate_sid(secure = @sid_secure)
if secure
secure.hex(@sid_length)
else
"%0#{@sid_length}x" % Kernel.rand(2**@sidbits - 1)
end
rescue NotImplementedError
generate_sid(false)
end
# Sets the lazy session at 'rack.session' and places options and session
# metadata into 'rack.session.options'.
def prepare_session(req)
session_was = req.get_header RACK_SESSION
session = session_class.new(self, req)
req.set_header RACK_SESSION, session
req.set_header RACK_SESSION_OPTIONS, @default_options.dup
session.merge! session_was if session_was
end
# Extracts the session id from provided cookies and passes it and the
# environment to #find_session.
def load_session(req)
sid = current_session_id(req)
sid, session = find_session(req, sid)
[sid, session || {}]
end
# Extract session id from request object.
def extract_session_id(request)
sid = request.cookies[@key]
sid ||= request.params[@key] unless @cookie_only
sid
end
# Returns the current session id from the SessionHash.
def current_session_id(req)
req.get_header(RACK_SESSION).id
end
# Check if the session exists or not.
def session_exists?(req)
value = current_session_id(req)
value && !value.empty?
end
# Session should be committed if it was loaded, any of specific options like :renew, :drop
# or :expire_after was given and the security permissions match. Skips if skip is given.
def commit_session?(req, session, options)
if options[:skip]
false
else
has_session = loaded_session?(session) || forced_session_update?(session, options)
has_session && security_matches?(req, options)
end
end
def loaded_session?(session)
!session.is_a?(session_class) || session.loaded?
end
def forced_session_update?(session, options)
force_options?(options) && session && !session.empty?
end
def force_options?(options)
options.values_at(:max_age, :renew, :drop, :defer, :expire_after).any?
end
def security_matches?(request, options)
return true unless options[:secure]
request.ssl?
end
# Acquires the session from the environment and the session id from
# the session options and passes them to #write_session. If successful
# and the :defer option is not true, a cookie will be added to the
# response with the session's id.
def commit_session(req, res)
session = req.get_header RACK_SESSION
options = session.options
if options[:drop] || options[:renew]
session_id = delete_session(req, session.id || generate_sid, options)
return unless session_id
end
return unless commit_session?(req, session, options)
session.send(:load!) unless loaded_session?(session)
session_id ||= session.id
session_data = session.to_hash.delete_if { |k, v| v.nil? }
if not data = write_session(req, session_id, session_data, options)
req.get_header(RACK_ERRORS).puts("Warning! #{self.class.name} failed to save session. Content dropped.")
elsif options[:defer] and not options[:renew]
req.get_header(RACK_ERRORS).puts("Deferring cookie for #{session_id}") if $VERBOSE
else
cookie = Hash.new
cookie[:value] = data
cookie[:expires] = Time.now + options[:expire_after] if options[:expire_after]
cookie[:expires] = Time.now + options[:max_age] if options[:max_age]
set_cookie(req, res, cookie.merge!(options))
end
end
public :commit_session
# Sets the cookie back to the client with session id. We skip the cookie
# setting if the value didn't change (sid is the same) or expires was given.
def set_cookie(request, res, cookie)
if request.cookies[@key] != cookie[:value] || cookie[:expires]
res.set_cookie_header =
Utils.add_cookie_to_header(res.set_cookie_header, @key, cookie)
end
end
# Allow subclasses to prepare_session for different Session classes
def session_class
SessionHash
end
# All thread safety and session retrieval procedures should occur here.
# Should return [session_id, session].
# If nil is provided as the session id, generation of a new valid id
# should occur within.
def find_session(env, sid)
raise '#find_session not implemented.'
end
# All thread safety and session storage procedures should occur here.
# Must return the session id if the session was saved successfully, or
# false if the session could not be saved.
def write_session(req, sid, session, options)
raise '#write_session not implemented.'
end
# All thread safety and session destroy procedures should occur here.
# Should return a new session id or nil if options[:drop]
def delete_session(req, sid, options)
raise '#delete_session not implemented'
end
end
class ID < Persisted
def self.inherited(klass)
k = klass.ancestors.find { |kl| kl.respond_to?(:superclass) && kl.superclass == ID }
unless k.instance_variable_defined?(:"@_rack_warned")
warn "#{klass} is inheriting from #{ID}. Inheriting from #{ID} is deprecated, please inherit from #{Persisted} instead" if $VERBOSE
k.instance_variable_set(:"@_rack_warned", true)
end
super
end
# All thread safety and session retrieval procedures should occur here.
# Should return [session_id, session].
# If nil is provided as the session id, generation of a new valid id
# should occur within.
def find_session(req, sid)
get_session req.env, sid
end
# All thread safety and session storage procedures should occur here.
# Must return the session id if the session was saved successfully, or
# false if the session could not be saved.
def write_session(req, sid, session, options)
set_session req.env, sid, session, options
end
# All thread safety and session destroy procedures should occur here.
# Should return a new session id or nil if options[:drop]
def delete_session(req, sid, options)
destroy_session req.env, sid, options
end
end
end
end
end
|