Class: Utopia::Session

Inherits:

Object

• Object
• Utopia::Session

Defined in:

lib/utopia/session.rb,
lib/utopia/session/lazy_hash.rb

Overview

A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.

Defined Under Namespace

Classes: LazyHash

Constant Summary

SECRET_KEY =

'UTOPIA_SESSION_SECRET'.freeze

RACK_SESSION =

"rack.session".freeze

CIPHER_ALGORITHM =

"aes-256-cbc"

DEFAULT_EXPIRES_AFTER =

The session will expire if no requests were made within 24 hours:

3600*24

DEFAULT_UPDATE_TIMEOUT =

At least, the session will be updated every 1 hour:

3600

Instance Attribute Summary

• #cookie_defaults ⇒ Object readonly

  Returns the value of attribute cookie_defaults.

• #cookie_name ⇒ Object readonly

  Returns the value of attribute cookie_name.

• #expires_after ⇒ Object readonly

  Returns the value of attribute expires_after.

• #key ⇒ Object readonly

  Returns the value of attribute key.

• #update_timeout ⇒ Object readonly

  Returns the value of attribute update_timeout.

Instance Method Summary

• #call(env) ⇒ Object
• #freeze ⇒ Object
• #initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, **options) ⇒ Session constructor

  A new instance of Session.

Constructor Details

#initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, **options) ⇒ Session

Returns a new instance of Session

Parameters:

• session_name (String) —

  The name of the session cookie.

• secret (Array) —

  The secret text used to generate a symetric encryption key for the coookie data.

• expires_after (String) —

  The cache-control header to set for static content.

• options (Hash<Symbol,Object>) —

  Additional defaults used for generating the cookie by Rack::Utils.set_cookie_header!.

# File 'lib/utopia/session.rb', line 45

def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, **options)
	@app = app
	
	@session_name = session_name
	@cookie_name = @session_name + ".encrypted"
	
	if secret.nil? or secret.empty?
		secret = SecureRandom.hex(32)
		warn "#{self.class} secret is #{secret.inspect}, generating transient secret key!" if $VERBOSE
	end
	
	# This generates a 32-byte key suitable for aes.
	@key = Digest::SHA2.digest(secret)
	
	@expires_after = expires_after
	@update_timeout = update_timeout
	
	@cookie_defaults = {
		domain: nil,
		path: "/",
		# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
		secure: false,
		# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
		http_only: true,
	}.merge(options)
end

Instance Attribute Details

#cookie_defaults ⇒ Object (readonly)

Returns the value of attribute cookie_defaults

# File 'lib/utopia/session.rb', line 78

def cookie_defaults
  @cookie_defaults
end

#cookie_name ⇒ Object (readonly)

Returns the value of attribute cookie_name

# File 'lib/utopia/session.rb', line 72

def cookie_name
  @cookie_name
end

#expires_after ⇒ Object (readonly)

Returns the value of attribute expires_after

# File 'lib/utopia/session.rb', line 75

def expires_after
  @expires_after
end

#key ⇒ Object (readonly)

Returns the value of attribute key

# File 'lib/utopia/session.rb', line 73

def key
  @key
end

#update_timeout ⇒ Object (readonly)

Returns the value of attribute update_timeout

# File 'lib/utopia/session.rb', line 76

def update_timeout
  @update_timeout
end

Instance Method Details

#call(env) ⇒ Object

# File 'lib/utopia/session.rb', line 92

def call(env)
	session_hash = prepare_session(env)

	status, headers, body = @app.call(env)

	update_session(env, session_hash, headers)

	return [status, headers, body]
end

#freeze ⇒ Object

# File 'lib/utopia/session.rb', line 80

def freeze
	return self if frozen?
	
	@cookie_name.freeze
	@key.freeze
	@expires_after.freeze
	@update_timeout.freeze
	@cookie_defaults.freeze
	
	super
end