Don’t use a cookie for unique Session ID

2018-05-14 02:37:49 +01:00 · 2018-05-14 02:37:49 +01:00 · 295285707e
commit 295285707e
parent 6f02651c4f
6 changed files with 22 additions and 69 deletions
--- a/db/session.go
+++ b/db/session.go
@ -24,7 +24,7 @@ func session(c *fibre.Context) (out map[string]interface{}) {
 	out[varKeyIp] = c.IP().String()
-	out[varKeyId] = c.Get(varKeyCook)
+	out[varKeyId] = c.Get(varKeyUniq)
 	out[varKeyOrigin] = c.Origin()
--- a/db/vars.go
+++ b/db/vars.go
@ -61,7 +61,7 @@ const (
 	varKeyIp      = "ip"
 	varKeyEnv     = "ENV"
 	varKeyAuth    = "auth"
-	varKeyCook    = "cook"
+	varKeyUniq    = "uniq"
 	varKeyThis    = "this"
 	varKeyScope   = "scope"
 	varKeyValue   = "value"
--- a/web/auth.go
+++ b/web/auth.go
@ -86,6 +86,14 @@ func auth() fibre.MiddlewareFunc {
 				auth.Selected.DB = subs[1]
 			}
 			// If there is a Session ID specified in
 			// the request headers, then mark it as
 			// the connection Session ID.
 			if id := c.Request().Header().Get(varKeyId); len(id) != 0 {
 				c.Set(varKeyUniq, id)
 			}
 			// If there is a namespace specified in
 			// the request headers, then mark it as
 			// the selected namespace.
@ -136,6 +144,16 @@ func auth() fibre.MiddlewareFunc {
 			if len(head) == 0 {
 				// If there is a Session ID specified as
 				// one of the socket protocols then use
 				// this as the connection Session ID.
 				for _, prot := range websocket.Subprotocols(c.Request().Request) {
 					if len(prot) > 3 && prot[0:3] == "id-" {
 						c.Set(varKeyUniq, prot[3:])
 					}
 				}
 				// If there is a NS configuration option
 				// defined as one of the socket protocols
 				// then use this as the selected NS.
--- a/web/sess.go
+++ b/web/sess.go
@ -1,60 +0,0 @@
 // Copyright © 2016 Abcum Ltd
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
 package web
 import (
 	"time"
 	"net/http"
 	"github.com/abcum/fibre"
 	"github.com/abcum/surreal/cnf"
 	"github.com/abcum/surreal/util/rand"
 )
 const cookie = "surreal"
 func uniq(val *http.Cookie) string {
 	if val != nil && len(val.Value) == 64 {
 		return val.Value
 	}
 	return rand.String(64)
 }
 func sess() fibre.MiddlewareFunc {
 	return func(h fibre.HandlerFunc) fibre.HandlerFunc {
 		return func(c *fibre.Context) (err error) {
 			val, _ := c.Request().Cookie(cookie)
 			crt := len(cnf.Settings.Cert.Crt) != 0
 			key := len(cnf.Settings.Cert.Key) != 0
 			val = &http.Cookie{
 				Name:     cookie,
 				Value:    uniq(val),
 				Secure:   (crt && key),
 				HttpOnly: true,
 				Expires:  time.Now().Add(365 * 24 * time.Hour),
 			}
 			c.Response().Header().Set("Set-Cookie", val.String())
 			c.Set(varKeyCook, val.Value)
 			return h(c)
 		}
 	}
 }
--- a/web/vars.go
+++ b/web/vars.go
@ -25,5 +25,5 @@ const (
 	varKeyAuth = "auth"
 	varKeyUser = "user"
 	varKeyPass = "pass"
-	varKeyCook = "cook"
+	varKeyUniq = "uniq"
 )
--- a/web/web.go
+++ b/web/web.go
@ -65,8 +65,7 @@ func Setup(opts *cnf.Options) (err error) {
 			"DB",
 			"ID",
 		},
-		AccessControlMaxAge:           1800,
+		AccessControlMaxAge: 1800,
 		AccessControlAllowCredentials: true,
 	}))
 	// Check body size
@ -75,10 +74,6 @@ func Setup(opts *cnf.Options) (err error) {
 		AllowedLength: 1 << 20, // 1mb
 	}))
 	// Setup session cookie
 	s.Use(sess())
 	// Setup authentication
 	s.Use(auth())