123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292 |
- // Copyright 2012 The Gorilla Authors. All rights reserved.
- // Use of this source code is governed by a BSD-style
- // license that can be found in the LICENSE file.
- package sessions
- import (
- "encoding/base32"
- "io/ioutil"
- "net/http"
- "os"
- "path/filepath"
- "strings"
- "sync"
- "github.com/gorilla/securecookie"
- )
- // Store is an interface for custom session stores.
- //
- // See CookieStore and FilesystemStore for examples.
- type Store interface {
- // Get should return a cached session.
- Get(r *http.Request, name string) (*Session, error)
- // New should create and return a new session.
- //
- // Note that New should never return a nil session, even in the case of
- // an error if using the Registry infrastructure to cache the session.
- New(r *http.Request, name string) (*Session, error)
- // Save should persist session to the underlying store implementation.
- Save(r *http.Request, w http.ResponseWriter, s *Session) error
- }
- // CookieStore ----------------------------------------------------------------
- // NewCookieStore returns a new CookieStore.
- //
- // Keys are defined in pairs to allow key rotation, but the common case is
- // to set a single authentication key and optionally an encryption key.
- //
- // The first key in a pair is used for authentication and the second for
- // encryption. The encryption key can be set to nil or omitted in the last
- // pair, but the authentication key is required in all pairs.
- //
- // It is recommended to use an authentication key with 32 or 64 bytes.
- // The encryption key, if set, must be either 16, 24, or 32 bytes to select
- // AES-128, AES-192, or AES-256 modes.
- func NewCookieStore(keyPairs ...[]byte) *CookieStore {
- cs := &CookieStore{
- Codecs: securecookie.CodecsFromPairs(keyPairs...),
- Options: &Options{
- Path: "/",
- MaxAge: 86400 * 30,
- },
- }
- cs.MaxAge(cs.Options.MaxAge)
- return cs
- }
- // CookieStore stores sessions using secure cookies.
- type CookieStore struct {
- Codecs []securecookie.Codec
- Options *Options // default configuration
- }
- // Get returns a session for the given name after adding it to the registry.
- //
- // It returns a new session if the sessions doesn't exist. Access IsNew on
- // the session to check if it is an existing session or a new one.
- //
- // It returns a new session and an error if the session exists but could
- // not be decoded.
- func (s *CookieStore) Get(r *http.Request, name string) (*Session, error) {
- return GetRegistry(r).Get(s, name)
- }
- // New returns a session for the given name without adding it to the registry.
- //
- // The difference between New() and Get() is that calling New() twice will
- // decode the session data twice, while Get() registers and reuses the same
- // decoded session after the first call.
- func (s *CookieStore) New(r *http.Request, name string) (*Session, error) {
- session := NewSession(s, name)
- opts := *s.Options
- session.Options = &opts
- session.IsNew = true
- var err error
- if c, errCookie := r.Cookie(name); errCookie == nil {
- err = securecookie.DecodeMulti(name, c.Value, &session.Values,
- s.Codecs...)
- if err == nil {
- session.IsNew = false
- }
- }
- return session, err
- }
- // Save adds a single session to the response.
- func (s *CookieStore) Save(r *http.Request, w http.ResponseWriter,
- session *Session) error {
- encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
- s.Codecs...)
- if err != nil {
- return err
- }
- http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
- return nil
- }
- // MaxAge sets the maximum age for the store and the underlying cookie
- // implementation. Individual sessions can be deleted by setting Options.MaxAge
- // = -1 for that session.
- func (s *CookieStore) MaxAge(age int) {
- s.Options.MaxAge = age
- // Set the maxAge for each securecookie instance.
- for _, codec := range s.Codecs {
- if sc, ok := codec.(*securecookie.SecureCookie); ok {
- sc.MaxAge(age)
- }
- }
- }
- // FilesystemStore ------------------------------------------------------------
- var fileMutex sync.RWMutex
- // NewFilesystemStore returns a new FilesystemStore.
- //
- // The path argument is the directory where sessions will be saved. If empty
- // it will use os.TempDir().
- //
- // See NewCookieStore() for a description of the other parameters.
- func NewFilesystemStore(path string, keyPairs ...[]byte) *FilesystemStore {
- if path == "" {
- path = os.TempDir()
- }
- fs := &FilesystemStore{
- Codecs: securecookie.CodecsFromPairs(keyPairs...),
- Options: &Options{
- Path: "/",
- MaxAge: 86400 * 30,
- },
- path: path,
- }
- fs.MaxAge(fs.Options.MaxAge)
- return fs
- }
- // FilesystemStore stores sessions in the filesystem.
- //
- // It also serves as a reference for custom stores.
- //
- // This store is still experimental and not well tested. Feedback is welcome.
- type FilesystemStore struct {
- Codecs []securecookie.Codec
- Options *Options // default configuration
- path string
- }
- // MaxLength restricts the maximum length of new sessions to l.
- // If l is 0 there is no limit to the size of a session, use with caution.
- // The default for a new FilesystemStore is 4096.
- func (s *FilesystemStore) MaxLength(l int) {
- for _, c := range s.Codecs {
- if codec, ok := c.(*securecookie.SecureCookie); ok {
- codec.MaxLength(l)
- }
- }
- }
- // Get returns a session for the given name after adding it to the registry.
- //
- // See CookieStore.Get().
- func (s *FilesystemStore) Get(r *http.Request, name string) (*Session, error) {
- return GetRegistry(r).Get(s, name)
- }
- // New returns a session for the given name without adding it to the registry.
- //
- // See CookieStore.New().
- func (s *FilesystemStore) New(r *http.Request, name string) (*Session, error) {
- session := NewSession(s, name)
- opts := *s.Options
- session.Options = &opts
- session.IsNew = true
- var err error
- if c, errCookie := r.Cookie(name); errCookie == nil {
- err = securecookie.DecodeMulti(name, c.Value, &session.ID, s.Codecs...)
- if err == nil {
- err = s.load(session)
- if err == nil {
- session.IsNew = false
- }
- }
- }
- return session, err
- }
- // Save adds a single session to the response.
- //
- // If the Options.MaxAge of the session is <= 0 then the session file will be
- // deleted from the store path. With this process it enforces the properly
- // session cookie handling so no need to trust in the cookie management in the
- // web browser.
- func (s *FilesystemStore) Save(r *http.Request, w http.ResponseWriter,
- session *Session) error {
- // Delete if max-age is <= 0
- if session.Options.MaxAge <= 0 {
- if err := s.erase(session); err != nil {
- return err
- }
- http.SetCookie(w, NewCookie(session.Name(), "", session.Options))
- return nil
- }
- if session.ID == "" {
- // Because the ID is used in the filename, encode it to
- // use alphanumeric characters only.
- session.ID = strings.TrimRight(
- base32.StdEncoding.EncodeToString(
- securecookie.GenerateRandomKey(32)), "=")
- }
- if err := s.save(session); err != nil {
- return err
- }
- encoded, err := securecookie.EncodeMulti(session.Name(), session.ID,
- s.Codecs...)
- if err != nil {
- return err
- }
- http.SetCookie(w, NewCookie(session.Name(), encoded, session.Options))
- return nil
- }
- // MaxAge sets the maximum age for the store and the underlying cookie
- // implementation. Individual sessions can be deleted by setting Options.MaxAge
- // = -1 for that session.
- func (s *FilesystemStore) MaxAge(age int) {
- s.Options.MaxAge = age
- // Set the maxAge for each securecookie instance.
- for _, codec := range s.Codecs {
- if sc, ok := codec.(*securecookie.SecureCookie); ok {
- sc.MaxAge(age)
- }
- }
- }
- // save writes encoded session.Values to a file.
- func (s *FilesystemStore) save(session *Session) error {
- encoded, err := securecookie.EncodeMulti(session.Name(), session.Values,
- s.Codecs...)
- if err != nil {
- return err
- }
- filename := filepath.Join(s.path, "session_"+session.ID)
- fileMutex.Lock()
- defer fileMutex.Unlock()
- return ioutil.WriteFile(filename, []byte(encoded), 0600)
- }
- // load reads a file and decodes its content into session.Values.
- func (s *FilesystemStore) load(session *Session) error {
- filename := filepath.Join(s.path, "session_"+session.ID)
- fileMutex.RLock()
- defer fileMutex.RUnlock()
- fdata, err := ioutil.ReadFile(filename)
- if err != nil {
- return err
- }
- if err = securecookie.DecodeMulti(session.Name(), string(fdata),
- &session.Values, s.Codecs...); err != nil {
- return err
- }
- return nil
- }
- // delete session file
- func (s *FilesystemStore) erase(session *Session) error {
- filename := filepath.Join(s.path, "session_"+session.ID)
- fileMutex.RLock()
- defer fileMutex.RUnlock()
- err := os.Remove(filename)
- return err
- }
|