./lib/lux/current/lib/session.rb in lux-fw-0.5.37 vs ./lib/lux/current/lib/session.rb in lux-fw-0.6.2

@@ -1,72 +1,93 @@
 # vars
 # Lux.config.session_cookie_name
 # Lux.config.session_cookie_max_age
-# Lux.config.session_cookie_domain
 
-class Lux::Current::Session
-  def initialize request
-    # how long will session last if BROWSER or IP change
-    Lux.config.session_forced_validity ||= 10.minutes.to_i
+# IMPORTANT - it is probably not a bug!
+# If you have issues with cookies and sessions, try annonymous window and check info on set headers
+# sometimes there is a bug there and cookie will not be set because of http https issues
 
-    # name of the session cookie
-    @cookie_name = Lux.config.session_cookie_name ||= 'lux_' + Crypt.sha1(Lux.config.secret)[0,4].downcase
-    @request     = request
-    @session     = JSON.parse(Crypt.decrypt(request.cookies[@cookie_name] || '{}')) rescue {}
+module Lux
+  class Current
+    class Session
+      attr_reader :hash, :cookie_name
 
-    security_check
-  end
+      def initialize request
+        # how long will session last if BROWSER or IP change
+        Lux.config[:session_forced_validity] ||= 10.minutes.to_i
+        Lux.config[:session_cookie_max_age]  ||= 1.week.to_i
 
-  def [] key
-    @session[key.to_s.downcase]
-  end
+        # name of the session cookie
+        @cookie_name = Lux.config[:session_cookie_name] ||= 'lux_' + Crypt.sha1(Lux.config.secret)[0,4].downcase
+        @request     = request
+        @hash        = JSON.parse(Crypt.decrypt(request.cookies[@cookie_name] || '{}')) rescue {}
 
-  def []= key, value
-    @session[key.to_s.downcase] = value
-  end
+        security_check
+      end
 
-  def delete key
-    @session.delete key.to_s.downcase
-  end
+      def [] key
+        @hash[key.to_s.downcase]
+      end
 
-  def generate_cookie
-    encrypted = Crypt.encrypt(@session.to_json)
+      def []= key, value
+        @hash[key.to_s.downcase] = value
+      end
 
-    if @request.cookies[@cookie_name] != encrypted
-      cookie = []
-      cookie.push [@cookie_name, encrypted].join('=')
-      cookie.push 'Max-Age=%s' % (Lux.config.session_cookie_max_age || 1.week.to_i)
-      cookie.push "Path=/"
-      cookie.push "Domain=#{Lux.config.session_cookie_domain}" if Lux.config.session_cookie_domain
-      cookie.push "secure" if Lux.config.host.include?('https:')
-      cookie.push "HttpOnly"
+      def delete key
+        @hash.delete key.to_s.downcase
+      end
 
-      cookie.join('; ')
-    else
-      nil
-    end
-  end
+      def generate_cookie
+        encrypted = Crypt.encrypt(@hash.to_json)
 
-  def merge! hash={}
-    hash.keys.each { |k| self[k] = hash[k] }
-  end
+        if @request.cookies[@cookie_name] != encrypted
+          cookie_domain = Lux.current.var[:lux_cookie_domain] || Lux.current.nav.domain
 
-  def hash
-    @session.dup
-  end
+          cookie = []
+          cookie.push [@cookie_name, encrypted].join('=')
+          cookie.push 'Max-Age=%s' % (Lux.config.session_cookie_max_age)
+          cookie.push "Path=/"
+          cookie.push "Domain=#{cookie_domain}"
+          cookie.push "secure" if Lux.current.request.url.start_with?('https:')
+          cookie.push "HttpOnly"
+          cookie.push "SameSite=Lax"
 
-  private
+          cookie.join('; ')
+        else
+          nil
+        end
+      end
 
-  def security_check
-    key   = '_c'
-    check = Crypt.sha1(@request.ip.to_s+@request.env['HTTP_USER_AGENT'].to_s)[0, 5]
+      def merge! hash={}
+        @hash.keys.each { |k| self[k] = @hash[k] }
+      end
 
-    # force type array
-    @session.delete(key) unless @session[key].class == Array
+      def keys
+        @hash.keys
+      end
 
-    # allow 10 mins delay for IP change
-    @session = {} if @session[key] && (@session[key][0] != check && @session[key][1].to_i < Time.now.to_i - Lux.config.session_forced_validity)
+      def to_h
+        @hash
+      end
 
-    # add new time stamp to every request
-    @session[key] = [check, Time.now.to_i]
+      private
+
+      def security_check
+        key   = '_c'
+        ip    = Lux.current.ip.split('.').first(3).join('.') # only 3 first numbers of IP
+        check = Crypt.sha1(ip+@request.env['HTTP_USER_AGENT'].to_s)[0, 5]
+
+        # force type array
+        @hash.delete(key) unless @hash[key].class == Array
+
+        # allow 10 mins delay for IP change
+        if @hash[key] && (@hash[key][0] != check && @hash[key][1].to_i < Time.now.to_i - Lux.config.session_forced_validity)
+          @hash = {}
+        end
+
+        # add new time stamp to every request
+        @hash[key] = [check, Time.now.to_i]
+      end
+    end
   end
-end
\ No newline at end of file
+end
+