Class: Merb::CookieSession

Inherits:
SessionContainer show all
Defined in:
lib/merb-core/dispatch/session/cookie.rb

Overview

If you have more than 4K of session data or don't want your data to be visible to the user, pick another session store.

CookieOverflow is raised if you attempt to store more than 4K of data. TamperedWithCookie is raised if the data integrity check fails.

A message digest is included with the cookie to ensure data integrity: a user cannot alter session data without knowing the secret key included in the hash.

To use Cookie Sessions, set in config/merb.yml

:session_secret_key - your secret digest key
:session_store - cookie

Defined Under Namespace

Classes: CookieOverflow, TamperedWithCookie

Constant Summary collapse

MAX =

Cookies can typically store 4096 bytes.

4096
DIGEST =

or MD5, RIPEMD160, SHA256?

OpenSSL::Digest::Digest.new('SHA1')

Instance Attribute Summary collapse

Attributes inherited from SessionContainer

#needs_new_cookie, #session_id

Class Method Summary collapse

Instance Method Summary collapse

Methods inherited from SessionContainer

#clear!, inherited

Constructor Details

#initialize(session_id, cookie, secret) ⇒ CookieSession

Parameters

session_id<String>

A unique identifier for this session.

cookie<String>

The raw cookie data.

secret<String>

A session secret.

Raises

ArgumentError

blank or insufficiently long secret.

:api: private


78
79
80
81
82
83
84
85
86
87
# File 'lib/merb-core/dispatch/session/cookie.rb', line 78

def initialize(session_id, cookie, secret)
  super session_id
  if secret.blank? || secret.length < 16
    msg = "You must specify a session_secret_key in your init file, and it must be at least 16 characters"
    Merb.logger.warn(msg)
    raise ArgumentError, msg
  end
  @secret = secret
  self.update(unmarshal(cookie))
end

Instance Attribute Details

#_original_session_dataObject

:api: private


34
35
36
# File 'lib/merb-core/dispatch/session/cookie.rb', line 34

def _original_session_data
  @_original_session_data
end

Class Method Details

.generateObject

Generates a new session ID and creates a new session.

Returns

SessionContainer

The new session.

:api: private


46
47
48
# File 'lib/merb-core/dispatch/session/cookie.rb', line 46

def generate
  self.new(Merb::SessionMixin.rand_uuid, "", Merb::Request._session_secret_key)
end

.setup(request) ⇒ Object

Set up a new session on request: make it available on request instance.

Parameters

request<Merb::Request>

The Merb::Request that came in from Rack.

Returns

SessionContainer

a SessionContainer. If no sessions were found,

a new SessionContainer will be generated.

:api: private


60
61
62
63
64
65
# File 'lib/merb-core/dispatch/session/cookie.rb', line 60

def setup(request)
  session = self.new(Merb::SessionMixin.rand_uuid,
    request.session_cookie_value, request._session_secret_key)
  session._original_session_data = session.to_cookie
  request.session = session
end

Instance Method Details

#finalize(request) ⇒ Object

Teardown and/or persist the current session.

If @_destroy is true, clear out the session completely, including removal of the session cookie itself.

Parameters

request<Merb::Request>

request object created from Rack environment.

:api: private


98
99
100
101
102
103
104
# File 'lib/merb-core/dispatch/session/cookie.rb', line 98

def finalize(request)
  if @_destroy
    request.destroy_session_cookie
  elsif _original_session_data != (new_session_data = self.to_cookie)
    request.set_session_cookie_value(new_session_data)
  end
end

#regenerateObject

Regenerate the session_id.

:api: private


109
110
111
# File 'lib/merb-core/dispatch/session/cookie.rb', line 109

def regenerate
  self.session_id = Merb::SessionMixin.rand_uuid
end

Create the raw cookie string; includes an HMAC keyed message digest.

Returns

String

Cookie value.

Raises

CookieOverflow

More than 4K of data put into session.

Notes

Session data is converted to a Hash first, since a container might choose to marshal it, which would make it persist attributes like 'needs_new_cookie', which it shouldn't.

:api: private


127
128
129
130
131
132
133
134
135
136
137
138
# File 'lib/merb-core/dispatch/session/cookie.rb', line 127

def to_cookie
  unless self.empty?
    data = self.serialize
    value = Merb::Parse.escape "#{data}--#{generate_digest(data)}"
    if value.size > MAX
      msg = "Cookies have limit of 4K. Session contents: #{data.inspect}"
      Merb.logger.error!(msg)
      raise CookieOverflow, msg
    end
    value
  end
end