1 module ActionController
3 # This cookie-based session store is the Rails default. Sessions typically
4 # contain at most a user_id and flash message; both fit within the 4K cookie
5 # size limit. Cookie-based sessions are dramatically faster than the
8 # If you have more than 4K of session data or don't want your data to be
9 # visible to the user, pick another session store.
11 # CookieOverflow is raised if you attempt to store more than 4K of data.
13 # A message digest is included with the cookie to ensure data integrity:
14 # a user cannot alter his +user_id+ without knowing the secret key
15 # included in the hash. New apps are generated with a pregenerated secret
16 # in config/environment.rb. Set your own for old apps you're upgrading.
20 # * <tt>:secret</tt>: An application-wide key string or block returning a
21 # string called per generated digest. The block is called with the
22 # CGI::Session instance as an argument. It's important that the secret
23 # is not vulnerable to a dictionary attack. Therefore, you should choose
24 # a secret consisting of random numbers and letters and more than 30
25 # characters. Examples:
27 # :secret => '449fe2e7daee471bffae2fd8dc02313d'
28 # :secret => Proc.new { User.current_user.secret_key }
30 # * <tt>:digest</tt>: The message digest algorithm used to verify session
31 # integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
32 # such as 'MD5', 'RIPEMD160', 'SHA256', etc.
34 # To generate a secret key for an existing application, run
35 # "rake secret" and set the key in config/environment.rb.
37 # Note that changing digest or secret invalidates all existing sessions!
39 # Cookies can typically store 4096 bytes.
41 SECRET_MIN_LENGTH
= 30 # characters
44 :key => '_session_id',
51 ENV_SESSION_KEY
= "rack.session".freeze
52 ENV_SESSION_OPTIONS_KEY
= "rack.session.options".freeze
53 HTTP_SET_COOKIE
= "Set-Cookie".freeze
55 # Raised when storing more than 4K of session data.
56 class CookieOverflow
< StandardError
; end
58 def initialize(app
, options
= {})
59 # Process legacy CGI options
60 options
= options
.symbolize_keys
61 if options
.has_key
?(:session_path)
62 options
[:path] = options
.delete(:session_path)
64 if options
.has_key
?(:session_key)
65 options
[:key] = options
.delete(:session_key)
67 if options
.has_key
?(:session_http_only)
68 options
[:httponly] = options
.delete(:session_http_only)
73 # The session_key option is required.
74 ensure_session_key(options
[:key])
75 @key = options
.delete(:key).freeze
77 # The secret option is required.
78 ensure_secret_secure(options
[:secret])
79 @secret = options
.delete(:secret).freeze
81 @digest = options
.delete(:digest) || 'SHA1'
82 @verifier = verifier_for(@secret, @digest)
84 @default_options = DEFAULT_OPTIONS
.merge(options
).freeze
90 env[ENV_SESSION_KEY
] = AbstractStore
::SessionHash.new(self, env)
91 env[ENV_SESSION_OPTIONS_KEY
] = @default_options.dup
93 status
, headers
, body
= @app.call(env)
95 session_data
= env[ENV_SESSION_KEY
]
96 options
= env[ENV_SESSION_OPTIONS_KEY
]
98 if !session_data
.is_a
?(AbstractStore
::SessionHash) || session_data
.send(:loaded?) || options
[:expire_after]
99 session_data
.send(:load!) if session_data
.is_a
?(AbstractStore
::SessionHash) && !session_data
.send(:loaded?)
100 session_data
= marshal(session_data
.to_hash
)
102 raise CookieOverflow
if session_data
.size
> MAX
105 cookie
[:value] = session_data
106 unless options
[:expire_after].nil?
107 cookie
[:expires] = Time
.now
+ options
[:expire_after]
110 cookie
= build_cookie(@key, cookie
.merge(options
))
111 unless headers
[HTTP_SET_COOKIE
].blank
?
112 headers
[HTTP_SET_COOKIE
] << "\n#{cookie}"
114 headers
[HTTP_SET_COOKIE
] = cookie
118 [status
, headers
, body
]
122 # Should be in Rack::Utils soon
123 def build_cookie(key
, value
)
126 domain
= "; domain=" + value
[:domain] if value
[:domain]
127 path
= "; path=" + value
[:path] if value
[:path]
128 # According to RFC 2109, we need dashes here.
129 # N.B.: cgi.rb uses spaces...
130 expires
= "; expires=" + value
[:expires].clone
.gmtime
.
131 strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value
[:expires]
132 secure
= "; secure" if value
[:secure]
133 httponly
= "; HttpOnly" if value
[:httponly]
134 value
= value
[:value]
136 value
= [value
] unless Array
=== value
137 cookie
= Rack
::Utils.escape(key
) + "=" +
138 value
.map
{ |v
| Rack
::Utils.escape(v
) }.join("&") +
139 "#{domain}#{path}#{expires}#{secure}#{httponly}"
142 def load_session(env)
143 request
= Rack
::Request.new(env)
144 session_data
= request
.cookies
[@key]
145 data = unmarshal(session_data
) || persistent_session_id
!({})
146 [data[:session_id], data]
149 # Marshal a session hash into safe cookie data. Include an integrity hash.
151 @verifier.generate(persistent_session_id
!(session
))
154 # Unmarshal cookie data to a hash and verify its integrity.
155 def unmarshal(cookie
)
156 persistent_session_id
!(@verifier.verify(cookie
)) if cookie
157 rescue ActiveSupport
::MessageVerifier::InvalidSignature
161 def ensure_session_key(key
)
163 raise ArgumentError
, 'A key is required to write a ' +
164 'cookie containing the session data. Use ' +
165 'config.action_controller.session = { :key => ' +
166 '"_myapp_session", :secret => "some secret phrase" } in ' +
167 'config/environment.rb'
171 # To prevent users from using something insecure like "Password" we make sure that the
172 # secret they've provided is at least 30 characters in length.
173 def ensure_secret_secure(secret
)
174 # There's no way we can do this check if they've provided a proc for the
176 return true if secret
.is_a
?(Proc
)
179 raise ArgumentError
, "A secret is required to generate an " +
180 "integrity hash for cookie session data. Use " +
181 "config.action_controller.session = { :key => " +
182 "\"_myapp_session\", :secret => \"some secret phrase of at " +
183 "least #{SECRET_MIN_LENGTH} characters\" } " +
184 "in config/environment.rb"
187 if secret
.length
< SECRET_MIN_LENGTH
188 raise ArgumentError
, "Secret should be something secure, " +
189 "like \"#{ActiveSupport::SecureRandom.hex(16)}\". The value you " +
190 "provided, \"#{secret}\", is shorter than the minimum length " +
191 "of #{SECRET_MIN_LENGTH} characters"
195 def verifier_for(secret
, digest
)
196 key
= secret
.respond_to
?(:call) ? secret
.call
: secret
197 ActiveSupport
::MessageVerifier.new(key
, digest
)
201 ActiveSupport
::SecureRandom.hex(16)
204 def persistent_session_id
!(data)
205 (data ||= {}).merge
!(inject_persistent_session_id(data))
208 def inject_persistent_session_id(data)
209 requires_session_id
?(data) ? { :session_id => generate_sid
} : {}
212 def requires_session_id
?(data)
214 data.respond_to
?(:key?) && !data.key
?(:session_id)