Class: Utopia::Session
- Inherits:
-
Object
- Object
- Utopia::Session
- Defined in:
- lib/utopia/session.rb,
lib/utopia/session/lazy_hash.rb,
lib/utopia/session/serialization.rb
Overview
A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.
Defined Under Namespace
Classes: LazyHash, PayloadError, Serialization
Constant Summary collapse
- MAXIMUM_SIZE =
1024*32
- SECRET_KEY =
'UTOPIA_SESSION_SECRET'.freeze
- RACK_SESSION =
"rack.session".freeze
- CIPHER_ALGORITHM =
"aes-256-cbc"
- DEFAULT_EXPIRES_AFTER =
The session will expire if no requests were made within 24 hours:
3600*24
- DEFAULT_UPDATE_TIMEOUT =
At least, the session will be updated every 1 hour:
3600
Instance Attribute Summary collapse
-
#cookie_defaults ⇒ Object
readonly
Returns the value of attribute cookie_defaults.
-
#cookie_name ⇒ Object
readonly
Returns the value of attribute cookie_name.
-
#expires_after ⇒ Object
readonly
Returns the value of attribute expires_after.
-
#key ⇒ Object
readonly
Returns the value of attribute key.
-
#update_timeout ⇒ Object
readonly
Returns the value of attribute update_timeout.
Instance Method Summary collapse
- #call(env) ⇒ Object
- #freeze ⇒ Object
-
#initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options) ⇒ Session
constructor
A new instance of Session.
Constructor Details
#initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options) ⇒ Session
Returns a new instance of Session.
56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
# File 'lib/utopia/session.rb', line 56 def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **) @app = app @session_name = session_name @cookie_name = @session_name + ".encrypted" if secret.nil? or secret.empty? secret = SecureRandom.hex(32) warn "#{self.class} secret is #{secret.inspect}, generating transient secret key!" if $VERBOSE end # This generates a 32-byte key suitable for aes. @key = Digest::SHA2.digest(secret) @expires_after = expires_after @update_timeout = update_timeout @cookie_defaults = { domain: nil, path: "/", # The SameSite attribute controls when the cookie is sent to the server, from 3rd parties (None), from requests with external referrers (Lax) or from within the site itself (Strict). same_site: same_site, # The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection. secure: secure, # The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique). http_only: true, }.merge() @serialization = Serialization.new @maximum_size = maximum_size end |
Instance Attribute Details
#cookie_defaults ⇒ Object (readonly)
Returns the value of attribute cookie_defaults.
97 98 99 |
# File 'lib/utopia/session.rb', line 97 def @cookie_defaults end |
#cookie_name ⇒ Object (readonly)
Returns the value of attribute cookie_name.
91 92 93 |
# File 'lib/utopia/session.rb', line 91 def @cookie_name end |
#expires_after ⇒ Object (readonly)
Returns the value of attribute expires_after.
94 95 96 |
# File 'lib/utopia/session.rb', line 94 def expires_after @expires_after end |
#key ⇒ Object (readonly)
Returns the value of attribute key.
92 93 94 |
# File 'lib/utopia/session.rb', line 92 def key @key end |
#update_timeout ⇒ Object (readonly)
Returns the value of attribute update_timeout.
95 96 97 |
# File 'lib/utopia/session.rb', line 95 def update_timeout @update_timeout end |
Instance Method Details
#call(env) ⇒ Object
111 112 113 114 115 116 117 118 119 |
# File 'lib/utopia/session.rb', line 111 def call(env) session_hash = prepare_session(env) status, headers, body = @app.call(env) update_session(env, session_hash, headers) return [status, headers, body] end |
#freeze ⇒ Object
99 100 101 102 103 104 105 106 107 108 109 |
# File 'lib/utopia/session.rb', line 99 def freeze return self if frozen? @cookie_name.freeze @key.freeze @expires_after.freeze @update_timeout.freeze @cookie_defaults.freeze super end |