Session module for managing session cookies #94
Conversation
|
Overall, I like the addition. We have something similar to this, but specifically for Django cookie sessions. Here are some notes:
|
|
Good points, thanks. On Tue, Jan 8, 2013 at 6:19 PM, Dmitry Demeshchuk
|
…really understan the security implications of this. There is no term_to_binary in the code now.
|
I have made the suggested changes and also corrected some bugs found on the way. I do not undertand the implications of getting rid of the username and only leaving the expiration time to generate the keys. |
|
Sorry for the delay on this. I've taken a brief look, overall looks good. Will give it a full review later today. |
|
Last final notes.
ensure_binary(B) when is_binary(B) ->
B;
ensure_binary(L) when is_list(L) ->
iolist_to_binary(L). %% note, iolist_to_binary is better, since we might use something like mochijson2 hereand then Don't forget to modify the function guards.
|
| Key=gen_key(ExpTime,ServerKey), | ||
| Hmac=gen_hmac(ExpTime,BData,FSessionKey(integer_to_list(ExpirationTime)),Key), | ||
| EData=encrypt_data(BData,Key), | ||
| bin_to_hexstr(<< BExpTime/binary,",", EData/binary,Hmac/binary>>). |
There was a problem hiding this comment.
I would either separate all the parameters with a comma or remove comma at all (since expiration time length is a known thing).
If you choose the latter, swap Hmac and EData, you'll be able to do simple pattern-matching instead of binary module splits.
|
Also, see some in-code notes I left. |
| %% @spec generate_session_data(ExpirationTime,Data :: string(),FSessionKey : function(A),ServerKey) -> binary() | ||
| %% @doc generates a secure encrypted binary convining all the parameters. | ||
| %% The expiration time is a number that must be able to be represented on 32 bit. | ||
| generate_session_data(ExpirationTime,Data,FSessionKey,ServerKey) when is_integer(ExpirationTime),is_list(Data), is_function(FSessionKey)-> |
There was a problem hiding this comment.
Actually, Data can be a binary here too.
|
Looks great now! Besides a small note above, I'd like you to do some formatting:
Sorry if I seem way too critical, it's just important to make the code consistent and re-usable. Your addition is really appreciated, as well as your patience! :) |
|
Just a hint: if you're using vim, you could run the following commands for the points 1 and 2: The extra two commands are here to fix the places where you actually used the correct spacing. |
|
Good, thanks for the addition! |
Session module for managing session cookies
|
There is a bug. The generated cookie data does not avoid RFC 2616 separators. |
|
Do you have an example? |
|
mochiweb_session:generate_session_cookie(mochiwebf:timestamp_sec(now()), "a@gmail.com",fun(N)->N end,"asdjfjwejriwejsd"). We are using base64:encode for encoding. Any ideas of what might be the way to explore? |
|
It does look like this module is broken, and shouldn't be used until this On Fri, Mar 15, 2013 at 2:32 AM, lhft notifications@github.com wrote:
|
|
I've added a base64url codec and changed mochiweb_session to use it. It On Fri, Mar 15, 2013 at 10:30 AM, Bob Ippolito bob@redivi.com wrote:
|
The new module, can be used to create a secure session cookie and to check it on every request. The functions have been implemented following the "A Secure Cookie Protocol" paper that can be found here http://www.cse.msu.edu/~alexliu/publications/Cookie/cookie.pdf