Class: Rack::Session::SmartCookie

Inherits:
Cookie
  • Object
show all
Defined in:
lib/rack/session/smart_cookie.rb,
lib/rack/session/smart_cookie/version.rb

Defined Under Namespace

Classes: Base64, MessagePack

Constant Summary collapse

BAD_DIGESTS = 
%w[MD2 MD4 MD5 SHA].freeze
DEFAULT_DIGEST = 
'SHA256'
SECRET_MIN_BYTESIZE = 
16
VERSION = 
'0.2.0'.freeze

Instance Method Summary collapse

Constructor Details

#initialize(app, options = {}) ⇒ SmartCookie

Returns a new instance of SmartCookie.



71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
 
# File 'lib/rack/session/smart_cookie.rb', line 71

def initialize(app, options={})
  options[:coder] ||= MessagePack.new
  unless options.key?(:hmac)
    options[:hmac] = OpenSSL::Digest(options.fetch(:digest, DEFAULT_DIGEST))
  end

  super

  if @secrets.any?
    hmac = options[:hmac].new # throwaway object for inspection purposes

    warn <<-MSG if BAD_DIGESTS.include?(hmac.name)
  SECURITY WARNING: You have elected to use an old and insecure message
  digest algorithm (#{hmac.class}).

  Such algorithms are generally considered to be effectively broken. It
  is strongly recommended that you elect to use a message digest
  algorithm from the SHA2 family: SHA224, SHA256, SHA384, or SHA512, or
  one of the derivatives such as SHA512/256. This will help prevent
  exploits that may be possible from crafted cookies.

  Called from: #{caller[0]}.
    MSG

    unless (SECRET_MIN_BYTESIZE .. hmac.block_length).cover?(@secrets.first.bytesize)
      show_caveat = hmac.digest_length > SECRET_MIN_BYTESIZE

      message = String.new(<<-MSG)
  SECURITY WARNING: You have provided a session secret with a sub-optimal
  byte size.

  It is strongly recommended that you select a secret at least #{SECRET_MIN_BYTESIZE} bytes
  long#{'*' if show_caveat}, but not longer than the block size (#{hmac.block_length} bytes) of the selected
  message digest algorithm (#{hmac.class}). This will help
  prevent exploits that may be possible from crafted cookies.
      MSG

      message << "\n        " \
        "* - Ideally, at least #{hmac.digest_length} bytes long.\n" if show_caveat

      message << "\n        " \
        "Called from: #{caller[0]}."

      warn message
    end
  end

  @digest_bytes = options[:digest_bytes]
end