Don’t use a cookie for unique Session ID

2018-05-14 02:37:49 +01:00 · 2018-05-14 02:37:49 +01:00 · 295285707e
commit 295285707e
parent 6f02651c4f
6 changed files with 22 additions and 69 deletions
--- a/db/session.go
+++ b/db/session.go
@ -24,7 +24,7 @@ func session(c *fibre.Context) (out map[string]interface{}) {

 	out[varKeyIp] = c.IP().String()

-	out[varKeyId] = c.Get(varKeyCook)
+	out[varKeyId] = c.Get(varKeyUniq)

 	out[varKeyOrigin] = c.Origin()

--- a/db/vars.go
+++ b/db/vars.go
@ -61,7 +61,7 @@ const (
 	varKeyIp      = "ip"
 	varKeyEnv     = "ENV"
 	varKeyAuth    = "auth"
-	varKeyCook    = "cook"
+	varKeyUniq    = "uniq"
 	varKeyThis    = "this"
 	varKeyScope   = "scope"
 	varKeyValue   = "value"
--- a/web/auth.go
+++ b/web/auth.go
@ -86,6 +86,14 @@ func auth() fibre.MiddlewareFunc {
 				auth.Selected.DB = subs[1]
 			}

+			// If there is a Session ID specified in
+			// the request headers, then mark it as
+			// the connection Session ID.
+
+			if id := c.Request().Header().Get(varKeyId); len(id) != 0 {
+				c.Set(varKeyUniq, id)
+			}
+
 			// If there is a namespace specified in
 			// the request headers, then mark it as
 			// the selected namespace.
@ -136,6 +144,16 @@ func auth() fibre.MiddlewareFunc {

 			if len(head) == 0 {

+				// If there is a Session ID specified as
+				// one of the socket protocols then use
+				// this as the connection Session ID.
+
+				for _, prot := range websocket.Subprotocols(c.Request().Request) {
+					if len(prot) > 3 && prot[0:3] == "id-" {
+						c.Set(varKeyUniq, prot[3:])
+					}
+				}
+
 				// If there is a NS configuration option
 				// defined as one of the socket protocols
 				// then use this as the selected NS.
--- a/web/sess.go
+++ b/web/sess.go
@ -1,60 +0,0 @@
-// Copyright © 2016 Abcum Ltd
-//
-// Licensed under the Apache License, Version 2.0 (the "License");
-// you may not use this file except in compliance with the License.
-// You may obtain a copy of the License at
-//
-//     http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-// distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-
-package web
-
-import (
-	"time"
-
-	"net/http"
-
-	"github.com/abcum/fibre"
-	"github.com/abcum/surreal/cnf"
-	"github.com/abcum/surreal/util/rand"
-)
-
-const cookie = "surreal"
-
-func uniq(val *http.Cookie) string {
-	if val != nil && len(val.Value) == 64 {
-		return val.Value
-	}
-	return rand.String(64)
-}
-
-func sess() fibre.MiddlewareFunc {
-	return func(h fibre.HandlerFunc) fibre.HandlerFunc {
-		return func(c *fibre.Context) (err error) {
-
-			val, _ := c.Request().Cookie(cookie)
-			crt := len(cnf.Settings.Cert.Crt) != 0
-			key := len(cnf.Settings.Cert.Key) != 0
-
-			val = &http.Cookie{
-				Name:     cookie,
-				Value:    uniq(val),
-				Secure:   (crt && key),
-				HttpOnly: true,
-				Expires:  time.Now().Add(365 * 24 * time.Hour),
-			}
-
-			c.Response().Header().Set("Set-Cookie", val.String())
-
-			c.Set(varKeyCook, val.Value)
-
-			return h(c)
-
-		}
-	}
-}
--- a/web/vars.go
+++ b/web/vars.go
@ -25,5 +25,5 @@ const (
 	varKeyAuth = "auth"
 	varKeyUser = "user"
 	varKeyPass = "pass"
-	varKeyCook = "cook"
+	varKeyUniq = "uniq"
 )
--- a/web/web.go
+++ b/web/web.go
@ -65,8 +65,7 @@ func Setup(opts *cnf.Options) (err error) {
 			"DB",
 			"ID",
 		},
-		AccessControlMaxAge:           1800,
-		AccessControlAllowCredentials: true,
+		AccessControlMaxAge: 1800,
 	}))

 	// Check body size
@ -75,10 +74,6 @@ func Setup(opts *cnf.Options) (err error) {
 		AllowedLength: 1 << 20, // 1mb
 	}))

-	// Setup session cookie
-
-	s.Use(sess())
-
 	// Setup authentication

 	s.Use(auth())