1 require 'action_controller/cgi_ext'
2 require 'action_controller/session/cookie_store'
4 module ActionController
#:nodoc:
6 # Process a request extracted from a CGI object and return a response. Pass false as <tt>session_options</tt> to disable
7 # sessions (large performance increase if sessions are not needed). The <tt>session_options</tt> are the same as for CGI::Session:
9 # * <tt>:database_manager</tt> - standard options are CGI::Session::FileStore, CGI::Session::MemoryStore, and CGI::Session::PStore
10 # (default). Additionally, there is CGI::Session::DRbStore and CGI::Session::ActiveRecordStore. Read more about these in
11 # lib/action_controller/session.
12 # * <tt>:session_key</tt> - the parameter name used for the session id. Defaults to '_session_id'.
13 # * <tt>:session_id</tt> - the session id to use. If not provided, then it is retrieved from the +session_key+ cookie, or
14 # automatically generated for a new session.
15 # * <tt>:new_session</tt> - if true, force creation of a new session. If not set, a new session is only created if none currently
16 # exists. If false, a new session is never created, and if none currently exists and the +session_id+ option is not set,
17 # an ArgumentError is raised.
18 # * <tt>:session_expires</tt> - the time the current session expires, as a Time object. If not set, the session will continue
20 # * <tt>:session_domain</tt> - the hostname domain for which this session is valid. If not set, defaults to the hostname of the
22 # * <tt>:session_secure</tt> - if +true+, this session will only work over HTTPS.
23 # * <tt>:session_path</tt> - the path for which this session applies. Defaults to the directory of the CGI script.
24 # * <tt>:cookie_only</tt> - if +true+ (the default), session IDs will only be accepted from cookies and not from
25 # the query string or POST parameters. This protects against session fixation attacks.
26 def self.process_cgi(cgi
= CGI
.new
, session_options
= {})
27 new
.process_cgi(cgi
, session_options
)
30 def process_cgi(cgi
, session_options
= {}) #:nodoc:
31 process(CgiRequest
.new(cgi
, session_options
), CgiResponse
.new(cgi
)).out
35 class CgiRequest
< AbstractRequest
#:nodoc:
36 attr_accessor
:cgi, :session_options
37 class SessionFixationAttempt
< StandardError
#:nodoc:
40 DEFAULT_SESSION_OPTIONS
= {
41 :database_manager => CGI
::Session::CookieStore, # store data in cookie
42 :prefix => "ruby_sess.", # prefix session file names
43 :session_path => "/", # available to all paths in app
44 :session_key => "_session_id",
46 :session_http_only=> true
49 def initialize(cgi
, session_options
= {})
51 @session_options = session_options
52 @env = @cgi.__send__(:env_table)
57 qs
= @cgi.query_string
if @cgi.respond_to
?(:query_string)
65 def body_stream
#:nodoc:
74 unless defined?(@session)
75 if @session_options == false
78 stale_session_check
! do
79 if cookie_only
? && query_parameters
[session_options_with_string_keys
['session_key']]
80 raise SessionFixationAttempt
82 case value
= session_options_with_string_keys
['new_session']
84 @session = new_session
87 @session = CGI
::Session.new(@cgi, session_options_with_string_keys
)
88 # CGI::Session raises ArgumentError if 'new_session' == false
89 # and no session cookie or query param is present.
94 @session = CGI
::Session.new(@cgi, session_options_with_string_keys
)
96 raise ArgumentError
, "Invalid new_session option: #{value}"
98 @session['__valid_session']
106 @session.delete
if defined?(@session) && @session.is_a
?(CGI
::Session)
107 @session = new_session
110 def method_missing(method_id
, *arguments
)
111 @cgi.__send__(method_id
, *arguments
) rescue super
115 # Delete an old session if it exists then create a new one.
117 if @session_options == false
120 CGI
::Session.new(@cgi, session_options_with_string_keys
.merge("new_session" => false)).delete
rescue nil
121 CGI
::Session.new(@cgi, session_options_with_string_keys
.merge("new_session" => true))
126 session_options_with_string_keys
['cookie_only']
129 def stale_session_check
!
131 rescue ArgumentError
=> argument_error
132 if argument_error
.message
=~
%r
{undefined
class/module ([\w
:]*\w
)}
134 # Note that the regexp does not allow $1 to end with a ':'
136 rescue LoadError
, NameError
=> const_error
137 raise ActionController
::SessionRestoreError, <<-end_msg
138 Session contains objects whose class definition isn\'t available.
139 Remember to require the classes for all objects kept in the session.
140 (Original exception: #{const_error.message} [#{const_error.class}])
150 def session_options_with_string_keys
151 @session_options_with_string_keys ||= DEFAULT_SESSION_OPTIONS
.merge(@session_options).stringify_keys
155 class CgiResponse
< AbstractResponse
#:nodoc:
161 def out(output
= $stdout)
162 output
.binmode
if output
.respond_to
?(:binmode)
163 output
.sync
= false if output
.respond_to
?(:sync=)
166 output
.write(@cgi.header(@headers))
168 if @cgi.__send__(:env_table)['REQUEST_METHOD'] == 'HEAD'
170 elsif @body.respond_to
?(:call)
171 # Flush the output now in case the @body Proc uses
173 output
.flush
if output
.respond_to
?(:flush)
174 @body.call(self, output
)
179 output
.flush
if output
.respond_to
?(:flush)
180 rescue Errno
::EPIPE, Errno
::ECONNRESET
181 # lost connection to parent process, ignore output