aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/session/abstract_store.rb
blob: d4b185aaa2d458d43731c37a629aeae6f3213653 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
require 'rack/utils'

module ActionController
  module Session
    class AbstractStore
      ENV_SESSION_KEY = 'rack.session'.freeze
      ENV_SESSION_OPTIONS_KEY = 'rack.session.options'.freeze

      HTTP_COOKIE = 'HTTP_COOKIE'.freeze
      SET_COOKIE = 'Set-Cookie'.freeze

      class SessionHash < Hash
        def initialize(by, env)
          super()
          @by = by
          @env = env
          @loaded = false
        end

        def id
          load! unless @loaded
          @id
        end

        def session_id
          ActiveSupport::Deprecation.warn(
            "ActionController::Session::AbstractStore::SessionHash#session_id" +
            "has been deprecated.Please use #id instead.", caller)
          id
        end

        def [](key)
          load! unless @loaded
          super
        end

        def []=(key, value)
          load! unless @loaded
          super
        end

        def to_hash
          h = {}.replace(self)
          h.delete_if { |k,v| v.nil? }
          h
        end

        def data
         ActiveSupport::Deprecation.warn(
           "ActionController::Session::AbstractStore::SessionHash#data" +
           "has been deprecated.Please use #to_hash instead.", caller)
          to_hash
        end

        private
          def load!
            @id, session = @by.send(:load_session, @env)
            replace(session)
            @loaded = true
          end
      end

      DEFAULT_OPTIONS = {
        :key =>           '_session_id',
        :path =>          '/',
        :domain =>        nil,
        :expire_after =>  nil,
        :secure =>        false,
        :httponly =>      true,
        :cookie_only =>   true
      }

      def initialize(app, options = {})
        # Process legacy CGI options
        options = options.symbolize_keys
        if options.has_key?(:session_path)
          options[:path] = options.delete(:session_path)
        end
        if options.has_key?(:session_key)
          options[:key] = options.delete(:session_key)
        end
        if options.has_key?(:session_http_only)
          options[:httponly] = options.delete(:session_http_only)
        end

        @app = app
        @default_options = DEFAULT_OPTIONS.merge(options)
        @key = @default_options[:key]
        @cookie_only = @default_options[:cookie_only]
      end

      def call(env)
        session = SessionHash.new(self, env)
        original_session = session.dup

        env[ENV_SESSION_KEY] = session
        env[ENV_SESSION_OPTIONS_KEY] = @default_options.dup

        response = @app.call(env)

        session = env[ENV_SESSION_KEY]
        unless session == original_session
          options = env[ENV_SESSION_OPTIONS_KEY]
          sid = session.id

          unless set_session(env, sid, session.to_hash)
            return response
          end

          cookie = Rack::Utils.escape(@key) + '=' + Rack::Utils.escape(sid)
          cookie << "; domain=#{options[:domain]}" if options[:domain]
          cookie << "; path=#{options[:path]}" if options[:path]
          if options[:expire_after]
            expiry = Time.now + options[:expire_after]
            cookie << "; expires=#{expiry.httpdate}"
          end
          cookie << "; Secure" if options[:secure]
          cookie << "; HttpOnly" if options[:httponly]

          headers = response[1]
          case a = headers[SET_COOKIE]
          when Array
            a << cookie
          when String
            headers[SET_COOKIE] = [a, cookie]
          when nil
            headers[SET_COOKIE] = cookie
          end
        end

        response
      end

      private
        def generate_sid
          ActiveSupport::SecureRandom.hex(16)
        end

        def load_session(env)
          request = Rack::Request.new(env)
          sid = request.cookies[@key]
          unless @cookie_only
            sid ||= request.params[@key]
          end
          sid, session = get_session(env, sid)
          [sid, session]
        end

        def get_session(env, sid)
          raise '#get_session needs to be implemented.'
        end

        def set_session(env, sid, session_data)
          raise '#set_session needs to be implemented.'
        end
    end
  end
end