Class: Rack::Session::Deadline
- Inherits:
-
Object
- Object
- Rack::Session::Deadline
- Defined in:
- lib/rack-deadline.rb
Overview
Rack middleware that automatically clears sessions that are open too long. This is designed to mitigate session fixation attacks in pure cookie-based session storage.
Constant Summary collapse
- ENV_KEY =
'rack.session'.freeze
- DEFAULT_KEY =
'_deadline'.freeze
- DEFAULT_DEADLINE =
86400
Instance Method Summary collapse
-
#call(env) ⇒ Object
Before calling the app, clears the session if it has passed the deadline.
-
#initialize(app, opts = {}) ⇒ Deadline
constructor
- Configure the middleware with the given options: :deadline
-
The maximum number of seconds a session can be open.
Constructor Details
#initialize(app, opts = {}) ⇒ Deadline
Configure the middleware with the given options:
- :deadline
-
The maximum number of seconds a session can be open.
- :key
-
the key in the session hash in which to store the deadline.
14 15 16 17 18 19 |
# File 'lib/rack-deadline.rb', line 14 def initialize(app, opts={}) @app = app @deadline = opts[:deadline] || DEFAULT_DEADLINE @key = opts[:key] || DEFAULT_KEY @time_class = opts[:time_class] || Time end |
Instance Method Details
#call(env) ⇒ Object
Before calling the app, clears the session if it has passed the deadline. After calling the app, set the deadline in the session if it hasn’t been set yet.
23 24 25 26 27 28 29 30 31 32 |
# File 'lib/rack-deadline.rb', line 23 def call(env) if (session = env[ENV_KEY]) && (!session.has_key?(@key) || session[@key] < @time_class.now.to_i) session.clear end res = @app.call(env) if session session[@key] ||= @time_class.now.to_i + @deadline end res end |