Class: Utopia::Session

Inherits:
Object
  • Object
show all
Defined in:
lib/utopia/session.rb,
lib/utopia/session/lazy_hash.rb

Overview

Stores all session data client side using a private symmetric encrpytion key.

Defined Under Namespace

Classes: LazyHash

Constant Summary collapse

RACK_SESSION = 
"rack.session".freeze
CIPHER_ALGORITHM = 
"aes-256-cbc"
DEFAULT_EXPIRES_AFTER =

The session will expire if no requests were made within 24 hours:

3600*24
DEFAULT_UPDATE_TIMEOUT =

At least, the session will be updated every 1 hour:

3600

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(app, session_name: nil, secret: nil, expires_after: nil, update_timeout: nil, **options) ⇒ Session

Returns a new instance of Session.



39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
 
# File 'lib/utopia/session.rb', line 39

def initialize(app, session_name: nil, secret: nil, expires_after: nil, update_timeout: nil, **options)
	@app = app
	
	@session_name = session_name || RACK_SESSION
	@cookie_name = @session_name + ".encrypted"
	
	if secret.nil? or secret.empty?
		secret = SecureRandom.hex(32)
		warn "#{self.class} secret is #{secret.inspect}, generating transient secret key!"
	end
	
	# This generates a 32-byte key suitable for aes.
	@key = Digest::SHA2.digest(secret)
	
	@expires_after = expires_after || DEFAULT_EXPIRES_AFTER
	@update_timeout = update_timeout || DEFAULT_UPDATE_TIMEOUT
	
	@cookie_defaults = {
		domain: nil,
		path: "/",
		# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
		secure: false,
		# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
		http_only: true,
	}.merge(options)
end

Instance Attribute Details

Returns the value of attribute cookie_defaults.



72
73
74
 
# File 'lib/utopia/session.rb', line 72

def cookie_defaults
  @cookie_defaults
end

#cookie_nameObject (readonly)

Returns the value of attribute cookie_name.



66
67
68
 
# File 'lib/utopia/session.rb', line 66

def cookie_name
  @cookie_name
end

#expires_afterObject (readonly)

Returns the value of attribute expires_after.



69
70
71
 
# File 'lib/utopia/session.rb', line 69

def expires_after
  @expires_after
end

#keyObject (readonly)

Returns the value of attribute key.



67
68
69
 
# File 'lib/utopia/session.rb', line 67

def key
  @key
end

#update_timeoutObject (readonly)

Returns the value of attribute update_timeout.



70
71
72
 
# File 'lib/utopia/session.rb', line 70

def update_timeout
  @update_timeout
end

Instance Method Details

#call(env) ⇒ Object 



84
85
86
87
88
89
90
91
92
 
# File 'lib/utopia/session.rb', line 84

def call(env)
	session_hash = prepare_session(env)

	status, headers, body = @app.call(env)

	update_session(env, session_hash, headers)

	return [status, headers, body]
end

#freezeObject 



74
75
76
77
78
79
80
81
82
 
# File 'lib/utopia/session.rb', line 74

def freeze
	@cookie_name.freeze
	@key.freeze
	@expires_after.freeze
	@update_timeout.freeze
	@cookie_defaults.freeze
	
	super
end