lib/innate/session.rb in innate-2010.07 vs lib/innate/session.rb in innate-2011.01
- old
+ new
@@ -36,10 +36,12 @@
:expires, nil
o "Time to live for session cookies and cache, nil/false will prevent setting",
:ttl, (60 * 60 * 24 * 30) # 30 days
o "Length of generated Session ID (only applies when using SecureRandom)",
:sid_length, 64
+ o "cookie cannot be accessed through client side script (http://www.owasp.org/index.php/HttpOnly)",
+ :httponly, false
trigger(:expires){|value|
self.ttl = value - Time.now.to_i
Log.warn("Innate::Session.options.expires is deprecated, use #ttl instead")
}
@@ -48,10 +50,11 @@
attr_reader :cookie_set, :request, :response, :flash
def initialize(request, response)
@request, @response = request, response
@cookie_set = false
+ @force_new_cookie = false
@cache_sid = nil
@flash = Flash.new(self)
end
# Rack interface
@@ -87,10 +90,17 @@
def sid
@sid ||= cookie || generate_sid
end
+ def resid!
+ cache_sid
+ cache.delete(sid)
+ @sid = generate_sid
+ @force_new_cookie = true
+ end
+
private
def cache_sid
@cache_sid ||= cache[sid] || {}
end
@@ -102,18 +112,24 @@
def cache
Innate::Cache.session
end
def set_cookie(response)
- return if @cookie_set || cookie
-
+ return if @cookie_set || (!@force_new_cookie && cookie)
+
@cookie_set = true
response.set_cookie(options.key, cookie_value)
+ @force_new_cookie = false
end
def cookie_value
o = options
- cookie = {:domain => o.domain, :path => o.path, :secure => o.secure}
+ cookie = {
+ :domain => o.domain,
+ :path => o.path,
+ :secure => o.secure,
+ :httponly => o.httponly
+ }
cookie[:expires] = (Time.now + o.ttl) if o.ttl
cookie.merge!(:value => sid)
end
def generate_sid