aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_dispatch/middleware/session/cookie_store.rb
blob: 22da82479e3dfdbe34e8bbb3b4340c72c51379c6 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
require 'active_support/core_ext/hash/keys'

module ActionDispatch
  module Session
    # This cookie-based session store is the Rails default. Sessions typically
    # contain at most a user_id and flash message; both fit within the 4K cookie
    # size limit. Cookie-based sessions are dramatically faster than the
    # alternatives.
    #
    # If you have more than 4K of session data or don't want your data to be
    # visible to the user, pick another session store.
    #
    # CookieOverflow is raised if you attempt to store more than 4K of data.
    #
    # A message digest is included with the cookie to ensure data integrity:
    # a user cannot alter his +user_id+ without knowing the secret key
    # included in the hash. New apps are generated with a pregenerated secret
    # in config/environment.rb. Set your own for old apps you're upgrading.
    #
    # Session options:
    #
    # * <tt>:secret</tt>: An application-wide key string or block returning a
    #   string called per generated digest. The block is called with the
    #   CGI::Session instance as an argument. It's important that the secret
    #   is not vulnerable to a dictionary attack. Therefore, you should choose
    #   a secret consisting of random numbers and letters and more than 30
    #   characters. Examples:
    #
    #     :secret => '449fe2e7daee471bffae2fd8dc02313d'
    #     :secret => Proc.new { User.current_user.secret_key }
    #
    # * <tt>:digest</tt>: The message digest algorithm used to verify session
    #   integrity defaults to 'SHA1' but may be any digest provided by OpenSSL,
    #   such as 'MD5', 'RIPEMD160', 'SHA256', etc.
    #
    # To generate a secret key for an existing application, run
    # "rake secret" and set the key in config/environment.rb.
    #
    # Note that changing digest or secret invalidates all existing sessions!
    class CookieStore
      # Cookies can typically store 4096 bytes.
      MAX = 4096
      SECRET_MIN_LENGTH = 30 # characters

      DEFAULT_OPTIONS = {
        :key          => '_session_id',
        :domain       => nil,
        :path         => "/",
        :expire_after => nil,
        :httponly     => true
      }.freeze

      class OptionsHash < Hash
        def initialize(by, env, default_options)
          @session_data = env[CookieStore::ENV_SESSION_KEY]
          default_options.each { |key, value| self[key] = value }
        end

        def [](key)
          key == :id ? @session_data[:session_id] : super(key)
        end
      end

      ENV_SESSION_KEY = "rack.session".freeze
      ENV_SESSION_OPTIONS_KEY = "rack.session.options".freeze
      HTTP_SET_COOKIE = "Set-Cookie".freeze

      # Raised when storing more than 4K of session data.
      class CookieOverflow < StandardError; end

      def initialize(app, options = {})
        # Process legacy CGI options
        options = options.symbolize_keys
        if options.has_key?(:session_path)
          options[:path] = options.delete(:session_path)
        end
        if options.has_key?(:session_key)
          options[:key] = options.delete(:session_key)
        end
        if options.has_key?(:session_http_only)
          options[:httponly] = options.delete(:session_http_only)
        end

        @app = app

        # The session_key option is required.
        ensure_session_key(options[:key])
        @key = options.delete(:key).freeze

        # The secret option is required.
        ensure_secret_secure(options[:secret])
        @secret = options.delete(:secret).freeze

        @digest = options.delete(:digest) || 'SHA1'
        @verifier = verifier_for(@secret, @digest)

        @default_options = DEFAULT_OPTIONS.merge(options).freeze

        freeze
      end

      def call(env)
        env[ENV_SESSION_KEY] = AbstractStore::SessionHash.new(self, env)
        env[ENV_SESSION_OPTIONS_KEY] = OptionsHash.new(self, env, @default_options)

        status, headers, body = @app.call(env)

        session_data = env[ENV_SESSION_KEY]
        options = env[ENV_SESSION_OPTIONS_KEY]

        if !session_data.is_a?(AbstractStore::SessionHash) || session_data.send(:loaded?) || options[:expire_after]
          session_data.send(:load!) if session_data.is_a?(AbstractStore::SessionHash) && !session_data.send(:loaded?)
          session_data = marshal(session_data.to_hash)

          raise CookieOverflow if session_data.size > MAX

          cookie = Hash.new
          cookie[:value] = session_data
          unless options[:expire_after].nil?
            cookie[:expires] = Time.now + options[:expire_after]
          end

          cookie = build_cookie(@key, cookie.merge(options))
          unless headers[HTTP_SET_COOKIE].blank?
            headers[HTTP_SET_COOKIE] << "\n#{cookie}"
          else
            headers[HTTP_SET_COOKIE] = cookie
          end
        end

        [status, headers, body]
      end

      private
        # Should be in Rack::Utils soon
        def build_cookie(key, value)
          case value
          when Hash
            domain  = "; domain="  + value[:domain] if value[:domain]
            path    = "; path="    + value[:path]   if value[:path]
            # According to RFC 2109, we need dashes here.
            # N.B.: cgi.rb uses spaces...
            expires = "; expires=" + value[:expires].clone.gmtime.
              strftime("%a, %d-%b-%Y %H:%M:%S GMT") if value[:expires]
            secure = "; secure" if value[:secure]
            httponly = "; HttpOnly" if value[:httponly]
            value = value[:value]
          end
          value = [value] unless Array === value
          cookie = Rack::Utils.escape(key) + "=" +
            value.map { |v| Rack::Utils.escape(v) }.join("&") +
            "#{domain}#{path}#{expires}#{secure}#{httponly}"
        end

        def load_session(env)
          request = Rack::Request.new(env)
          session_data = request.cookies[@key]
          data = unmarshal(session_data) || persistent_session_id!({})
          data.stringify_keys!
          [data["session_id"], data]
        end

        # Marshal a session hash into safe cookie data. Include an integrity hash.
        def marshal(session)
          @verifier.generate(persistent_session_id!(session))
        end

        # Unmarshal cookie data to a hash and verify its integrity.
        def unmarshal(cookie)
          persistent_session_id!(@verifier.verify(cookie)) if cookie
        rescue ActiveSupport::MessageVerifier::InvalidSignature
          nil
        end

        def ensure_session_key(key)
          if key.blank?
            raise ArgumentError, 'A key is required to write a ' +
              'cookie containing the session data. Use ' +
              'config.action_controller.session_store :cookie_store, { :key => ' +
              '"_myapp_session" } in config/application.rb'
          end
        end

        # To prevent users from using something insecure like "Password" we make sure that the
        # secret they've provided is at least 30 characters in length.
        def ensure_secret_secure(secret)
          # There's no way we can do this check if they've provided a proc for the
          # secret.
          return true if secret.is_a?(Proc)

          if secret.blank?
            raise ArgumentError, "A secret is required to generate an " +
              "integrity hash for cookie session data. Use " +
              "config.cookie_secret = \"some secret phrase of at " +
              "least #{SECRET_MIN_LENGTH} characters\"" +
              "in config/application.rb"
          end

          if secret.length < SECRET_MIN_LENGTH
            raise ArgumentError, "Secret should be something secure, " +
              "like \"#{ActiveSupport::SecureRandom.hex(16)}\".  The value you " +
              "provided, \"#{secret}\", is shorter than the minimum length " +
              "of #{SECRET_MIN_LENGTH} characters"
          end
        end

        def verifier_for(secret, digest)
          key = secret.respond_to?(:call) ? secret.call : secret
          ActiveSupport::MessageVerifier.new(key, digest)
        end

        def generate_sid
          ActiveSupport::SecureRandom.hex(16)
        end

        def persistent_session_id!(data)
          (data ||= {}).merge!(inject_persistent_session_id(data))
        end

        def inject_persistent_session_id(data)
          requires_session_id?(data) ? { "session_id" => generate_sid } : {}
        end

        def requires_session_id?(data)
          if data
            data.respond_to?(:key?) && !data.key?("session_id")
          else
            true
          end
        end
    end
  end
end