Class: Merb::CookieSession

Inherits:

SessionContainer

• Object
• Mash
• SessionContainer
• Merb::CookieSession

Defined in:

lib/merb-core/dispatch/session/cookie.rb

Overview

If you have more than 4K of session data or don’t want your data to be visible to the user, pick another session store.

CookieOverflow is raised if you attempt to store more than 4K of data. TamperedWithCookie is raised if the data integrity check fails.

A message digest is included with the cookie to ensure data integrity: a user cannot alter session data without knowing the secret key included in the hash.

To use Cookie Sessions, set in config/merb.yml

:session_secret_key - your secret digest key
:session_store - cookie

Defined Under Namespace

Classes: CookieOverflow, TamperedWithCookie

Constant Summary

MAX =

Cookies can typically store 4096 bytes.

4096

DIGEST =

or MD5, RIPEMD160, SHA256?

OpenSSL::Digest::Digest.new('SHA1')

Instance Attribute Summary

• #_original_session_data ⇒ Object

  :api: private.

Attributes inherited from SessionContainer

#needs_new_cookie, #session_id

Class Method Summary

• .generate ⇒ Object

  Generates a new session ID and creates a new session.

• .setup(request) ⇒ Object

  Set up a new session on request: make it available on request instance.

Instance Method Summary

• #finalize(request) ⇒ Object

  Teardown and/or persist the current session.

• #initialize(session_id, cookie, secret) ⇒ CookieSession constructor

  Parameters session_id<String>:: A unique identifier for this session.

• #regenerate ⇒ Object

  Regenerate the session_id.

• #to_cookie ⇒ Object

  Create the raw cookie string; includes an HMAC keyed message digest.

Methods inherited from SessionContainer

#clear!, inherited

Constructor Details

#initialize(session_id, cookie, secret) ⇒ CookieSession

Parameters

session_id<String>

A unique identifier for this session.

cookie<String>

The raw cookie data.

secret<String>

A session secret.

Raises

ArgumentError

blank or insufficiently long secret.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 78

def initialize(session_id, cookie, secret)
  super session_id
  if secret.blank? || secret.length < 16
    msg = "You must specify a session_secret_key in your init file, and it must be at least 16 characters"
    Merb.logger.warn(msg)
    raise ArgumentError, msg
  end
  @secret = secret
  self.update(unmarshal(cookie))
end

Instance Attribute Details

#_original_session_data ⇒ Object

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 34

def _original_session_data
  @_original_session_data
end

Class Method Details

.generate ⇒ Object

Generates a new session ID and creates a new session.

Returns

SessionContainer

The new session.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 46

def generate
  self.new(Merb::SessionMixin.rand_uuid, "", Merb::Request._session_secret_key)
end

.setup(request) ⇒ Object

Set up a new session on request: make it available on request instance.

Parameters

request<Merb::Request>

The Merb::Request that came in from Rack.

Returns

SessionContainer

a SessionContainer. If no sessions were found,

a new SessionContainer will be generated.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 60

def setup(request)
  session = self.new(Merb::SessionMixin.rand_uuid,
    request.session_cookie_value, request._session_secret_key)
  session._original_session_data = session.to_cookie
  request.session = session
end

Instance Method Details

#finalize(request) ⇒ Object

Teardown and/or persist the current session.

If @_destroy is true, clear out the session completely, including removal of the session cookie itself.

Parameters

request<Merb::Request>

request object created from Rack environment.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 98

def finalize(request)
  if @_destroy
    request.destroy_session_cookie
  elsif _original_session_data != (new_session_data = self.to_cookie)
    request.set_session_cookie_value(new_session_data)
  end
end

#regenerate ⇒ Object

Regenerate the session_id.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 109

def regenerate
  self.session_id = Merb::SessionMixin.rand_uuid
end

#to_cookie ⇒ Object

Create the raw cookie string; includes an HMAC keyed message digest.

Returns

String

Cookie value.

Raises

CookieOverflow

More than 4K of data put into session.

Notes

Session data is converted to a Hash first, since a container might choose to marshal it, which would make it persist attributes like ‘needs_new_cookie’, which it shouldn’t.

:api: private

# File 'lib/merb-core/dispatch/session/cookie.rb', line 127

def to_cookie
  unless self.empty?
    data = self.serialize
    value = Merb::Parse.escape "#{data}--#{generate_digest(data)}"
    if value.size > MAX
      msg = "Cookies have limit of 4K. Session contents: #{data.inspect}"
      Merb.logger.error!(msg)
      raise CookieOverflow, msg
    end
    value
  end
end