class Session
A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.
Nested
Definitions
DEFAULT_EXPIRES_AFTER = 3600*24
The session will expire if no requests were made within 24 hours:
DEFAULT_UPDATE_TIMEOUT = 3600
At least, the session will be updated every 1 hour:
def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)
Implementation
def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)
@app = app
@session_name = session_name
@cookie_name = @session_name + ".encrypted"
if secret.nil? or secret.empty?
raise ArgumentError, "invalid session secret: #{secret.inspect}"
end
# This generates a 32-byte key suitable for aes.
@key = Digest::SHA2.digest(secret)
@expires_after = expires_after
@update_timeout = update_timeout
@cookie_defaults = {
domain: nil,
path: "/",
# The SameSite attribute controls when the cookie is sent to the server, from 3rd parties (None), from requests with external referrers (Lax) or from within the site itself (Strict).
same_site: same_site,
# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
secure: secure,
# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
http_only: true,
}.merge(options)
@serialization = Serialization.new
@maximum_size = maximum_size
end
def build_initial_session(request)
Constructs a valid session for the given request. These fields must match as per the checks performed in valid_session?
:
Implementation
def build_initial_session(request)
{
user_agent: request.user_agent,
created_at: Time.now.utc,
updated_at: Time.now.utc,
}
end
def load_session_values(env)
Load session from user supplied cookie. If the data is invalid or otherwise fails validation, build_iniital_session
is invoked.
Implementation
def load_session_values(env)
request = Rack::Request.new(env)
# Decrypt the data from the user if possible:
if data = request.cookies[@cookie_name]
begin
if values = decrypt(data)
validate_session!(request, values)
return values
end
rescue => error
Console.error(self, error)
end
end
# If we couldn't create a session
return build_initial_session(request)
end