1
module ActionController
3
# This cookie-based session store is the Rails default. Sessions typically
4
# contain at most a user_id and flash message; both fit within the 4K cookie
5
# size limit. Cookie-based sessions are dramatically faster than the
8
# If you have more than 4K of session data or don't want your data to be
9
# visible to the user, pick another session store.
11
# CookieOverflow is raised if you attempt to store more than 4K of data.
13
# A message digest is included with the cookie to ensure data integrity:
14
# a user cannot alter his +user_id+ without knowing the secret key
15
# included in the hash. New apps are generated with a pregenerated secret
16
# in config/environment.rb. Set your own for old apps you're upgrading.
20
# * <tt>:secret</tt>: An application-wide key string or block returning a
21
# string called per generated digest. The block is called with the
22
# CGI::Session instance as an argument. It's important that the secret
23
# is not vulnerable to a dictionary attack. Therefore, you should choose
24
# a secret consisting of random numbers and letters and more than 30
25
# characters. Examples:
27
# :secret => '449fe2e7daee471bffae2fd8dc02313d'
28
# :secret => Proc.new { User.current_user.secret_key }
30
# * <tt>:digest</tt>: The message digest algorithm used to verify session
31
# integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
32
# such as 'MD5', 'RIPEMD160', 'SHA256', etc.
34
# To generate a secret key for an existing application, run
35
# "rake secret" and set the key in config/environment.rb.
37
# Note that changing digest or secret invalidates all existing sessions!
39
# Cookies can typically store 4096 bytes.
41
SECRET_MIN_LENGTH = 30 # characters
44
:key => '_session_id',
51
ENV_SESSION_KEY = "rack.session".freeze
52
ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
53
HTTP_SET_COOKIE = "Set-Cookie".freeze
55
# Raised when storing more than 4K of session data.
56
class CookieOverflow < StandardError; end
58
def initialize(app, options = {})
59
# Process legacy CGI options
60
options = options.symbolize_keys
61
if options.has_key?(:session_path)
62
options[:path] = options.delete(:session_path)
64
if options.has_key?(:session_key)
65
options[:key] = options.delete(:session_key)
67
if options.has_key?(:session_http_only)
68
options[:httponly] = options.delete(:session_http_only)
73
# The session_key option is required.
74
ensure_session_key(options[:key])
75
@key = options.delete(:key).freeze
77
# The secret option is required.
78
ensure_secret_secure(options[:secret])
79
@secret = options.delete(:secret).freeze
81
@digest = options.delete(:digest) || 'SHA1'
82
@verifier = verifier_for(@secret, @digest)
84
@default_options = DEFAULT_OPTIONS.merge(options).freeze
90
env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
91
env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup
93
status, headers, body = @app.call(env)
95
session_data = env[ENV_SESSION_KEY]
96
options = env[ENV_SESSION_OPTIONS_KEY]
98
if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
99
session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
100
session_data = marshal(session_data.to_hash)
102
raise CookieOverflow if session_data.size > MAX
105
cookie[:value] = session_data
106
unless options[:expire_after].nil?
107
cookie[:expires] = Time.now + options[:expire_after]
110
cookie = build_cookie(@key, cookie.merge(options))
111
unless headers[HTTP_SET_COOKIE].blank?
112
headers[HTTP_SET_COOKIE] << "\n#{cookie}"
114
headers[HTTP_SET_COOKIE] = cookie
118
[status, headers, body]
122
# Should be in Rack::Utils soon
123
def build_cookie(key, value)
126
domain = "; domain=" + value[:domain] if value[:domain]
127
path = "; path=" + value[:path] if value[:path]
128
# According to RFC 2109, we need dashes here.
129
# N.B.: cgi.rb uses spaces...
130
expires = "; expires=" + value[:expires].clone.gmtime.
131
strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
132
secure = "; secure" if value[:secure]
133
httponly = "; HttpOnly" if value[:httponly]
134
value = value[:value]
136
value = [value] unless Array === value
137
cookie = Rack::Utils.escape(key) + "=" +
138
value.map { |v| Rack::Utils.escape(v) }.join("&") +
139
"#{domain}#{path}#{expires}#{secure}#{httponly}"
142
def load_session(env)
143
request = Rack::Request.new(env)
144
session_data = request.cookies[@key]
145
data = unmarshal(session_data) || persistent_session_id!({})
146
[data[:session_id], data]
149
# Marshal a session hash into safe cookie data. Include an integrity hash.
151
@verifier.generate(persistent_session_id!(session))
154
# Unmarshal cookie data to a hash and verify its integrity.
155
def unmarshal(cookie)
156
persistent_session_id!(@verifier.verify(cookie)) if cookie
157
rescue ActiveSupport::MessageVerifier::InvalidSignature
161
def ensure_session_key(key)
163
raise ArgumentError, 'A key is required to write a ' +
164
'cookie containing the session data. Use ' +
165
'config.action_controller.session = { :key => ' +
166
'"_myapp_session", :secret => "some secret phrase" } in ' +
167
'config/environment.rb'
171
# To prevent users from using something insecure like "Password" we make sure that the
172
# secret they've provided is at least 30 characters in length.
173
def ensure_secret_secure(secret)
174
# There's no way we can do this check if they've provided a proc for the
176
return true if secret.is_a?(Proc)
179
raise ArgumentError, "A secret is required to generate an " +
180
"integrity hash for cookie session data. Use " +
181
"config.action_controller.session = { :key => " +
182
"\"_myapp_session\", :secret => \"some secret phrase of at " +
183
"least #{SECRET_MIN_LENGTH} characters\" } " +
184
"in config/environment.rb"
187
if secret.length < SECRET_MIN_LENGTH
188
raise ArgumentError, "Secret should be something secure, " +
189
"like \"#{ActiveSupport::SecureRandom.hex(16)}\". The value you " +
190
"provided, \"#{secret}\", is shorter than the minimum length " +
191
"of #{SECRET_MIN_LENGTH} characters"
195
def verifier_for(secret, digest)
196
key = secret.respond_to?(:call) ? secret.call : secret
197
ActiveSupport::MessageVerifier.new(key, digest)
201
ActiveSupport::SecureRandom.hex(16)
204
def persistent_session_id!(data)
205
(data ||= {}).merge!(inject_persistent_session_id(data))
208
def inject_persistent_session_id(data)
209
requires_session_id?(data) ? { :session_id => generate_sid } : {}
212
def requires_session_id?(data)
214
data.respond_to?(:key?) && !data.key?(:session_id)