Utopia SourceUtopiaSession

class Session

A middleware which provides a secure client-side session storage using a private symmetric encrpytion key.

Nested

Definitions

DEFAULT_EXPIRES_AFTER = 3600*24

The session will expire if no requests were made within 24 hours:

DEFAULT_UPDATE_TIMEOUT = 3600

At least, the session will be updated every 1 hour:

def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)

Implementation

def initialize(app, session_name: RACK_SESSION, secret: nil, expires_after: DEFAULT_EXPIRES_AFTER, update_timeout: DEFAULT_UPDATE_TIMEOUT, secure: false, same_site: :lax, maximum_size: MAXIMUM_SIZE, **options)
	@app = app
	
	@session_name = session_name
	@cookie_name = @session_name + ".encrypted"
	
	if secret.nil? or secret.empty?
		raise ArgumentError, "invalid session secret: #{secret.inspect}"
	end
	
	# This generates a 32-byte key suitable for aes.
	@key = Digest::SHA2.digest(secret)
	
	@expires_after = expires_after
	@update_timeout = update_timeout
	
	@cookie_defaults = {
		domain: nil,
		path: "/",
		
		# The SameSite attribute controls when the cookie is sent to the server, from 3rd parties (None), from requests with external referrers (Lax) or from within the site itself (Strict).
		same_site: same_site,
		
		# The Secure attribute is meant to keep cookie communication limited to encrypted transmission, directing browsers to use cookies only via secure/encrypted connections. However, if a web server sets a cookie with a secure attribute from a non-secure connection, the cookie can still be intercepted when it is sent to the user by man-in-the-middle attacks. Therefore, for maximum security, cookies with the Secure attribute should only be set over a secure connection.
		secure: secure,
		
		# The HttpOnly attribute directs browsers not to expose cookies through channels other than HTTP (and HTTPS) requests. This means that the cookie cannot be accessed via client-side scripting languages (notably JavaScript), and therefore cannot be stolen easily via cross-site scripting (a pervasive attack technique).
		http_only: true,
	}.merge(options)
	
	@serialization = Serialization.new
	@maximum_size = maximum_size
end

def build_initial_session(request)

Constructs a valid session for the given request. These fields must match as per the checks performed in valid_session?:

Implementation

def build_initial_session(request)
	{
		user_agent: request.user_agent,
		created_at: Time.now.utc,
		updated_at: Time.now.utc,
	}
end

def load_session_values(env)

Load session from user supplied cookie. If the data is invalid or otherwise fails validation, build_iniital_session is invoked.

Implementation

def load_session_values(env)
	request = Rack::Request.new(env)
	
	# Decrypt the data from the user if possible:
	if data = request.cookies[@cookie_name]
		begin
			if values = decrypt(data)
				validate_session!(request, values)
				
				return values
			end
		rescue => error
			request.logger&.error(error)
		end
	end
	
	# If we couldn't create a session
	return build_initial_session(request)
end