[catagits/Catalyst-Plugin-Session.git] / lib / Catalyst / Plugin / Session.pm

#!/usr/bin/perl

package Catalyst::Plugin::Session;
use base qw/Class::Accessor::Fast/;

use strict;
use warnings;

use NEXT;
use Catalyst::Exception ();
use Digest              ();
use overload            ();

our $VERSION = "0.02";

BEGIN {
    __PACKAGE__->mk_accessors(qw/_sessionid _session _session_delete_reason _flash _flash_stale_keys/);
}

sub setup {
    my $c = shift;

    $c->NEXT::setup(@_);

    $c->check_session_plugin_requirements;
    $c->setup_session;

    return $c;
}

sub check_session_plugin_requirements {
    my $c = shift;

    unless ( $c->isa("Catalyst::Plugin::Session::State")
        && $c->isa("Catalyst::Plugin::Session::Store") )
    {
        my $err =
          (     "The Session plugin requires both Session::State "
              . "and Session::Store plugins to be used as well." );

        $c->log->fatal($err);
        Catalyst::Exception->throw($err);
    }
}

sub setup_session {
    my $c = shift;

    my $cfg = ( $c->config->{session} ||= {} );

    %$cfg = (
        expires        => 7200,
        verify_address => 1,
        %$cfg,
    );

    $c->NEXT::setup_session();
}


sub finalize {
    my $c = shift;

    $c->_save_session;
    $c->_save_flash;

    $c->NEXT::finalize(@_);
}

sub _save_session {
    my $c = shift;
    
    if ( my $sid = $c->_sessionid ) {
        if ( my $session_data = $c->_session ) {

            # all sessions are extended at the end of the request
            my $now = time;
            @{ $session_data }{qw/__updated __expires/} =
              ( $now, $c->config->{session}{expires} + $now );

            $c->store_session_data( "session:$sid", $session_data );
        }
    }
}

sub _save_flash {
    my $c = shift;

    if ( my $sid = $c->_sessionid ) {
        if ( my $flash_data = $c->_flash ) {
            if ( %$flash_data ) { # damn 'my' declarations
                delete @{ $flash_data }{ @{ $c->_flash_stale_keys || [] } };
                $c->store_session_data( "flash:$sid", $flash_data );
            }
        } else {
            $c->delete_session_data( "flash:$sid" );
        }
    }
}

sub _load_session {
    my $c = shift;

    if ( my $sid = $c->_sessionid ) {
		no warnings 'uninitialized'; # ne __address

        my $session_data = $c->_session || $c->_session( $c->get_session_data( "session:$sid" ) );
        if ( !$session_data or $session_data->{__expires} < time ) {

            # session expired
            $c->log->debug("Deleting session $sid (expired)") if $c->debug;
            $c->delete_session("session expired");
        }
        elsif ($c->config->{session}{verify_address}
            && $session_data->{__address} ne $c->request->address )
        {
            $c->log->warn(
                    "Deleting session $sid due to address mismatch ("
                  . $session_data->{__address} . " != "
                  . $c->request->address . ")",
            );
            $c->delete_session("address mismatch");
        }
        else {
            $c->log->debug(qq/Restored session "$sid"/) if $c->debug;
        }
       
        $c->_expire_ession_keys;

        return $session_data;
    }

    return undef;
}

sub _load_flash {
    my $c = shift;

    if ( my $sid = $c->_sessionid ) {
        if ( my $flash_data = $c->_flash || $c->_flash( $c->get_session_data( "flash:$sid" ) ) ) {
            $c->_flash_stale_keys([ keys %$flash_data ]);
            return $flash_data;
        }
    }

    return undef;
}

sub _expire_ession_keys {
    my ( $c, $data ) = @_;

    my $now = time;

    my $expiry = ($data || $c->_session || {})->{__expire_keys} || {};
    foreach my $key (grep { $expiry->{$_} < $now } keys %$expiry ) {
        delete $c->_session->{$key};
        delete $expiry->{$key};
    }
}

sub delete_session {
    my ( $c, $msg ) = @_;

    # delete the session data
    my $sid = $c->_sessionid || return;
    $c->delete_session_data( "session:$sid" );

    # reset the values in the context object
    $c->_session(undef);
    $c->_sessionid(undef);
    $c->_session_delete_reason($msg);
}

sub session_delete_reason {
    my $c = shift;

    $c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data

    $c->_session_delete_reason( @_ );
}

sub sessionid {
	my $c = shift;
    
	if ( @_ ) {
		if ( $c->validate_session_id( my $sid = shift ) ) {
			$c->_sessionid( $sid );
            return unless defined wantarray;
		} else {
			my $err = "Tried to set invalid session ID '$sid'";
			$c->log->error( $err );
			Catalyst::Exception->throw( $err );
		}
	}
    
    $c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data

	return $c->_sessionid;
}

sub validate_session_id {
	my ( $c, $sid ) = @_;

	$sid and $sid =~ /^[a-f\d]+$/i;
}

sub session {
    my $c = shift;

    $c->_session || $c->_load_session || do {
        my $sid = $c->generate_session_id;
        $c->sessionid($sid);

        $c->log->debug(qq/Created session "$sid"/) if $c->debug;

        $c->initialize_session_data;
	};
}

sub flash {
    my $c = shift;
    $c->_flash || $c->_load_flash || $c->_flash( {} );
}

sub session_expire_key {
    my ( $c, %keys ) = @_;

    my $now = time;
    @{ $c->session->{__expire_keys} }{keys %keys} = map { $now + $_ } values %keys;
}

sub initialize_session_data {
    my $c = shift;

    my $now = time;

    return $c->_session({
        __created => $now,
        __updated => $now,
        __expires => $now + $c->config->{session}{expires},

        (
            $c->config->{session}{verify_address}
            ? ( __address => $c->request->address )
            : ()
        ),
    });
}

sub generate_session_id {
    my $c = shift;

    my $digest = $c->_find_digest();
    $digest->add( $c->session_hash_seed() );
    return $digest->hexdigest;
}

my $counter;

sub session_hash_seed {
    my $c = shift;

    return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
}

my $usable;

sub _find_digest () {
    unless ($usable) {
        foreach my $alg (qw/SHA-1 MD5 SHA-256/) {
            eval {
                my $obj = Digest->new($alg);
                $usable = $alg;
                return $obj;
            };
        }
        $usable
          or Catalyst::Exception->throw(
                "Could not find a suitable Digest module. Please install "
              . "Digest::SHA1, Digest::SHA, or Digest::MD5" );
    }

    return Digest->new($usable);
}

sub dump_these {
    my $c = shift;

    (
        $c->NEXT::dump_these(),

        $c->sessionid
        ? ( [ "Session ID" => $c->sessionid ], [ Session => $c->session ], )
        : ()
    );
}

__PACKAGE__;

__END__

=pod

=head1 NAME

Catalyst::Plugin::Session - Generic Session plugin - ties together server side
storage and client side state required to maintain session data.

=head1 SYNOPSIS

    # To get sessions to "just work", all you need to do is use these plugins:

    use Catalyst qw/
      Session
      Session::Store::FastMmap
      Session::State::Cookie
      /;

	# you can replace Store::FastMmap with Store::File - both have sensible
	# default configurations (see their docs for details)

	# more complicated backends are available for other scenarios (DBI storage,
	# etc)


    # after you've loaded the plugins you can save session data
    # For example, if you are writing a shopping cart, it could be implemented
    # like this:

    sub add_item : Local {
        my ( $self, $c ) = @_;

        my $item_id = $c->req->param("item");

        # $c->session is a hash ref, a bit like $c->stash
        # the difference is that it' preserved across requests

        push @{ $c->session->{items} }, $item_id;

        $c->forward("MyView");
    }

    sub display_items : Local {
        my ( $self, $c ) = @_;

        # values in $c->session are restored
        $c->stash->{items_to_display} =
          [ map { MyModel->retrieve($_) } @{ $c->session->{items} } ];

        $c->forward("MyView");
    }

=head1 DESCRIPTION

The Session plugin is the base of two related parts of functionality required
for session management in web applications.

The first part, the State, is getting the browser to repeat back a session key,
so that the web application can identify the client and logically string
several requests together into a session.

The second part, the Store, deals with the actual storage of information about
the client. This data is stored so that the it may be revived for every request
made by the same client.

This plugin links the two pieces together.

=head1 RECCOMENDED BACKENDS

=over 4

=item Session::State::Cookie

The only really sane way to do state is using cookies.

=item Session::Store::File

A portable backend, based on Cache::File.

=item Session::Store::FastMmap

A fast and flexible backend, based on Cache::FastMmap.

=back

=head1 METHODS

=over 4

=item sessionid

An accessor for the session ID value.

=item session

Returns a hash reference that might contain unserialized values from previous
requests in the same session, and whose modified value will be saved for future
requests.

This method will automatically create a new session and session ID if none
exists.

=item flash

This is like Ruby on Rails' flash data structure. Think of it as a stash that
lasts a single redirect, not only a forward.

    sub moose : Local {
        my ( $self, $c ) = @_;

        $c->flash->{beans} = 10;
        $c->response->redirect( $c->uri_for("foo") );
    }

    sub foo : Local {
        my ( $self, $c ) = @_;

        my $value = $c->flash->{beans};

        # ...

        $c->response->redirect( $c->uri_for("bar") );
    }

    sub bar : Local {
        my ( $self, $c ) = @_;

        if ( exists $c->flash->{beans} ) { # false
        
        }
    }

=item session_delete_reason

This accessor contains a string with the reason a session was deleted. Possible
values include:

=over 4

=item *

C<address mismatch>

=item *

C<session expired>

=back

=item session_expire_key $key, $ttl

Mark a key to expire at a certain time (only useful when shorter than the
expiry time for the whole session).

For example:

    __PACKAGE__->config->{session}{expires} = 1000000000000; # forever

    # later

    $c->session_expire_key( __user => 3600 );

Will make the session data survive, but the user will still be logged out after
an hour.

Note that these values are not auto extended.

=back

=item INTERNAL METHODS

=over 4

=item setup

This method is extended to also make calls to
C<check_session_plugin_requirements> and C<setup_session>.

=item check_session_plugin_requirements

This method ensures that a State and a Store plugin are also in use by the
application.

=item setup_session

This method populates C<< $c->config->{session} >> with the default values
listed in L</CONFIGURATION>.

=item prepare_action

This methoid is extended, and will restore session data and check it for
validity if a session id is defined. It assumes that the State plugin will
populate the C<sessionid> key beforehand.

=item finalize

This method is extended and will extend the expiry time, as well as persist the
session data if a session exists.

=item delete_session REASON

This method is used to invalidate a session. It takes an optional parameter
which will be saved in C<session_delete_reason> if provided.

=item initialize_session_data

This method will initialize the internal structure of the session, and is
called by the C<session> method if appropriate.

=item generate_session_id

This method will return a string that can be used as a session ID. It is
supposed to be a reasonably random string with enough bits to prevent
collision. It basically takes C<session_hash_seed> and hashes it using SHA-1,
MD5 or SHA-256, depending on the availibility of these modules.

=item session_hash_seed

This method is actually rather internal to generate_session_id, but should be
overridable in case you want to provide more random data.

Currently it returns a concatenated string which contains:

=item validate_session_id SID

Make sure a session ID is of the right format.

This currently ensures that the session ID string is any amount of case
insensitive hexadecimal characters.

=over 4

=item *

A counter

=item *

The current time

=item *

One value from C<rand>.

=item *

The stringified value of a newly allocated hash reference

=item *

The stringified value of the Catalyst context object

=back

In the hopes that those combined values are entropic enough for most uses. If
this is not the case you can replace C<session_hash_seed> with e.g.

    sub session_hash_seed {
        open my $fh, "<", "/dev/random";
        read $fh, my $bytes, 20;
        close $fh;
        return $bytes;
    }

Or even more directly, replace C<generate_session_id>:

    sub generate_session_id {
        open my $fh, "<", "/dev/random";
        read $fh, my $bytes, 20;
        close $fh;
        return unpack("H*", $bytes);
    }

Also have a look at L<Crypt::Random> and the various openssl bindings - these
modules provide APIs for cryptographically secure random data.

=item dump_these

See L<Catalyst/dump_these> - ammends the session data structure to the list of
dumped objects if session ID is defined.

=back

=head1 USING SESSIONS DURING PREPARE

The earliest point in time at which you may use the session data is after
L<Catalyst::Plugin::Session>'s C<prepare_action> has finished.

State plugins must set $c->session ID before C<prepare_action>, and during
C<prepare_action> L<Catalyst::Plugin::Session> will actually load the data from
the store.

	sub prepare_action {
		my $c = shift;

		# don't touch $c->session yet!

		$c->NEXT::prepare_action( @_ );

		$c->session;  # this is OK
		$c->sessionid; # this is also OK
	}

=head1 CONFIGURATION

    $c->config->{session} = {
        expires => 1234,
    };

All configuation parameters are provided in a hash reference under the
C<session> key in the configuration hash.

=over 4

=item expires

The time-to-live of each session, expressed in seconds. Defaults to 7200 (two
hours).

=item verify_address

When true, C<<$c->request->address>> will be checked at prepare time. If it is
not the same as the address that initiated the session, the session is deleted.

=back

=head1 SPECIAL KEYS

The hash reference returned by C<< $c->session >> contains several keys which
are automatically set:

=over 4

=item __expires

A timestamp whose value is the last second when the session is still valid. If
a session is restored, and __expires is less than the current time, the session
is deleted.

=item __updated

The last time a session was saved. This is the value of
C<< $c->session->{__expires} - $c->config->session->{expires} >>.

=item __created

The time when the session was first created.

=item __address

The value of C<< $c->request->address >> at the time the session was created.
This value is only populated if C<verify_address> is true in the configuration.

=back

=head1 CAVEATS

=head2 Round the Robin Proxies

C<verify_address> could make your site inaccessible to users who are behind
load balanced proxies. Some ISPs may give a different IP to each request by the
same client due to this type of proxying. If addresses are verified these
users' sessions cannot persist.

To let these users access your site you can either disable address verification
as a whole, or provide a checkbox in the login dialog that tells the server
that it's OK for the address of the client to change. When the server sees that
this box is checked it should delete the C<__address> sepcial key from the
session hash when the hash is first created.

=head2 Race Conditions

In this day and age where cleaning detergents and dutch football (not the
american kind) teams roam the plains in great numbers, requests may happen
simultaneously. This means that there is some risk of session data being
overwritten, like this:

=over 4

=item 1.

request a starts, request b starts, with the same session id

=item 2.

session data is loaded in request a

=item 3.

session data is loaded in request b

=item 4.

session data is changed in request a

=item 5.

request a finishes, session data is updated and written to store

=item 6.

request b finishes, session data is updated and written to store, overwriting
changes by request a

=back

If this is a concern in your application, a soon to be developed locking
solution is the only safe way to go. This will have a bigger overhead.

For applications where any given user is only making one request at a time this
plugin should be safe enough.

=head1 AUTHORS

=over 4

=item Andy Grundman

=item Christian Hansen

=item Yuval Kogman, C<nothingmuch@woobling.org> (current maintainer)

=item Sebastian Riedel

=back

And countless other contributers from #catalyst. Thanks guys!

=head1 COPYRIGHT & LICENSE

	Copyright (c) 2005 the aforementioned authors. All rights
	reserved. This program is free software; you can redistribute
	it and/or modify it under the same terms as Perl itself.

=cut
Commit	Line	Data
9e447f9d	1	#!/usr/bin/perl
	2
	3	package Catalyst::Plugin::Session;
	4	use base qw/Class::Accessor::Fast/;
	5
	6	use strict;
	7	use warnings;
	8
	9	use NEXT;
	10	use Catalyst::Exception ();
9a9252c2	11	use Digest ();
9a9252c2	12	use overload ();
9e447f9d	13
b1cd7d77	14	our $VERSION = "0.02";
37160715	15
9e447f9d	16	BEGIN {
9b0fa2a6	17	__PACKAGE__->mk_accessors(qw/_sessionid _session _session_delete_reason _flash _flash_stale_keys/);
9e447f9d	18	}
	19
	20	sub setup {
9a9252c2	21	my $c = shift;
	22
	23	$c->NEXT::setup(@_);
	24
	25	$c->check_session_plugin_requirements;
	26	$c->setup_session;
	27
	28	return $c;
9e447f9d	29	}
	30
	31	sub check_session_plugin_requirements {
9a9252c2	32	my $c = shift;
9e447f9d	33
9a9252c2	34	unless ( $c->isa("Catalyst::Plugin::Session::State")
	35	&& $c->isa("Catalyst::Plugin::Session::Store") )
	36	{
	37	my $err =
	38	( "The Session plugin requires both Session::State "
	39	. "and Session::Store plugins to be used as well." );
9e447f9d	40
9a9252c2	41	$c->log->fatal($err);
	42	Catalyst::Exception->throw($err);
	43	}
9e447f9d	44	}
	45
	46	sub setup_session {
9a9252c2	47	my $c = shift;
9e447f9d	48
9a9252c2	49	my $cfg = ( $c->config->{session} \|\|= {} );
9e447f9d	50
9a9252c2	51	%$cfg = (
	52	expires => 7200,
	53	verify_address => 1,
	54	%$cfg,
	55	);
9e447f9d	56
9a9252c2	57	$c->NEXT::setup_session();
9e447f9d	58	}
9e447f9d	59
ea972e9a	60
9e447f9d	61	sub finalize {
9a9252c2	62	my $c = shift;
9e447f9d	63
9b0fa2a6	64	$c->_save_session;
	65	$c->_save_flash;
	66
	67	$c->NEXT::finalize(@_);
	68	}
	69
	70	sub _save_session {
	71	my $c = shift;
	72
ea972e9a	73	if ( my $sid = $c->_sessionid ) {
ea972e9a	74	if ( my $session_data = $c->_session ) {
9e447f9d	75
ea972e9a	76	# all sessions are extended at the end of the request
	77	my $now = time;
	78	@{ $session_data }{qw/__updated __expires/} =
	79	( $now, $c->config->{session}{expires} + $now );
9b0fa2a6	80
ea972e9a	81	$c->store_session_data( "session:$sid", $session_data );
ea972e9a	82	}
9a9252c2	83	}
9b0fa2a6	84	}
9a9252c2	85
9b0fa2a6	86	sub _save_flash {
	87	my $c = shift;
	88
ea972e9a	89	if ( my $sid = $c->_sessionid ) {
	90	if ( my $flash_data = $c->_flash ) {
	91	if ( %$flash_data ) { # damn 'my' declarations
	92	delete @{ $flash_data }{ @{ $c->_flash_stale_keys \|\| [] } };
	93	$c->store_session_data( "flash:$sid", $flash_data );
	94	}
	95	} else {
	96	$c->delete_session_data( "flash:$sid" );
	97	}
9b0fa2a6	98	}
9e447f9d	99	}
9e447f9d	100
b7acf64e	101	sub _load_session {
	102	my $c = shift;
	103
29d15411	104	if ( my $sid = $c->_sessionid ) {
0974ac06	105	no warnings 'uninitialized'; # ne __address
0974ac06	106
9b0fa2a6	107	my $session_data = $c->_session \|\| $c->_session( $c->get_session_data( "session:$sid" ) );
0974ac06	108	if ( !$session_data or $session_data->{__expires} < time ) {
3f182468	109
	110	# session expired
	111	$c->log->debug("Deleting session $sid (expired)") if $c->debug;
	112	$c->delete_session("session expired");
	113	}
29543a62	114	elsif ($c->config->{session}{verify_address}
0974ac06	115	&& $session_data->{__address} ne $c->request->address )
3f182468	116	{
	117	$c->log->warn(
	118	"Deleting session $sid due to address mismatch ("
0974ac06	119	. $session_data->{__address} . " != "
3f182468	120	. $c->request->address . ")",
	121	);
	122	$c->delete_session("address mismatch");
	123	}
29543a62	124	else {
	125	$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
	126	}
873f7011	127
b7acf64e	128	$c->_expire_ession_keys;
b7acf64e	129
29d15411	130	return $session_data;
9a9252c2	131	}
29d15411	132
29d15411	133	return undef;
b7acf64e	134	}
9a9252c2	135
9b0fa2a6	136	sub _load_flash {
	137	my $c = shift;
	138
	139	if ( my $sid = $c->_sessionid ) {
ea972e9a	140	if ( my $flash_data = $c->_flash \|\| $c->_flash( $c->get_session_data( "flash:$sid" ) ) ) {
9b0fa2a6	141	$c->_flash_stale_keys([ keys %$flash_data ]);
	142	return $flash_data;
	143	}
	144	}
	145
	146	return undef;
	147	}
	148
b7acf64e	149	sub _expire_ession_keys {
	150	my ( $c, $data ) = @_;
	151
	152	my $now = time;
	153
	154	my $expiry = ($data \|\| $c->_session \|\| {})->{__expire_keys} \|\| {};
	155	foreach my $key (grep { $expiry->{$_} < $now } keys %$expiry ) {
	156	delete $c->_session->{$key};
	157	delete $expiry->{$key};
	158	}
9e447f9d	159	}
	160
	161	sub delete_session {
9a9252c2	162	my ( $c, $msg ) = @_;
9e447f9d	163
9a9252c2	164	# delete the session data
29d15411	165	my $sid = $c->_sessionid \|\| return;
9b0fa2a6	166	$c->delete_session_data( "session:$sid" );
9e447f9d	167
9a9252c2	168	# reset the values in the context object
0974ac06	169	$c->_session(undef);
0974ac06	170	$c->_sessionid(undef);
29d15411	171	$c->_session_delete_reason($msg);
	172	}
	173
	174	sub session_delete_reason {
	175	my $c = shift;
	176
	177	$c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data
	178
	179	$c->_session_delete_reason( @_ );
9e447f9d	180	}
9e447f9d	181
0974ac06	182	sub sessionid {
0974ac06	183	my $c = shift;
29d15411	184
0974ac06	185	if ( @_ ) {
0974ac06	186	if ( $c->validate_session_id( my $sid = shift ) ) {
29d15411	187	$c->_sessionid( $sid );
29d15411	188	return unless defined wantarray;
0974ac06	189	} else {
	190	my $err = "Tried to set invalid session ID '$sid'";
	191	$c->log->error( $err );
	192	Catalyst::Exception->throw( $err );
	193	}
	194	}
29d15411	195
29d15411	196	$c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data
0974ac06	197
	198	return $c->_sessionid;
	199	}
	200
	201	sub validate_session_id {
	202	my ( $c, $sid ) = @_;
	203
ea972e9a	204	$sid and $sid =~ /^[a-f\d]+$/i;
0974ac06	205	}
0974ac06	206
9e447f9d	207	sub session {
9a9252c2	208	my $c = shift;
9e447f9d	209
29d15411	210	$c->_session \|\| $c->_load_session \|\| do {
	211	my $sid = $c->generate_session_id;
	212	$c->sessionid($sid);
9e447f9d	213
29d15411	214	$c->log->debug(qq/Created session "$sid"/) if $c->debug;
9e447f9d	215
29d15411	216	$c->initialize_session_data;
0974ac06	217	};
9e447f9d	218	}
9e447f9d	219
873f7011	220	sub flash {
873f7011	221	my $c = shift;
9b0fa2a6	222	$c->_flash \|\| $c->_load_flash \|\| $c->_flash( {} );
873f7011	223	}
873f7011	224
b7acf64e	225	sub session_expire_key {
	226	my ( $c, %keys ) = @_;
	227
	228	my $now = time;
	229	@{ $c->session->{__expire_keys} }{keys %keys} = map { $now + $_ } values %keys;
	230	}
	231
9e447f9d	232	sub initialize_session_data {
9a9252c2	233	my $c = shift;
9e447f9d	234
9a9252c2	235	my $now = time;
9e447f9d	236
0974ac06	237	return $c->_session({
9a9252c2	238	__created => $now,
	239	__updated => $now,
	240	__expires => $now + $c->config->{session}{expires},
9e447f9d	241
9a9252c2	242	(
	243	$c->config->{session}{verify_address}
	244	? ( __address => $c->request->address )
	245	: ()
	246	),
0974ac06	247	});
9e447f9d	248	}
9e447f9d	249
9e447f9d	250	sub generate_session_id {
	251	my $c = shift;
	252
	253	my $digest = $c->_find_digest();
	254	$digest->add( $c->session_hash_seed() );
	255	return $digest->hexdigest;
	256	}
	257
	258	my $counter;
9a9252c2	259
9e447f9d	260	sub session_hash_seed {
9a9252c2	261	my $c = shift;
	262
	263	return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
9e447f9d	264	}
	265
	266	my $usable;
9a9252c2	267
9e447f9d	268	sub _find_digest () {
9a9252c2	269	unless ($usable) {
7d139eeb	270	foreach my $alg (qw/SHA-1 MD5 SHA-256/) {
7d139eeb	271	eval {
29543a62	272	my $obj = Digest->new($alg);
	273	$usable = $alg;
	274	return $obj;
	275	};
7d139eeb	276	}
7d139eeb	277	$usable
9a9252c2	278	or Catalyst::Exception->throw(
	279	"Could not find a suitable Digest module. Please install "
	280	. "Digest::SHA1, Digest::SHA, or Digest::MD5" );
	281	}
9e447f9d	282
	283	return Digest->new($usable);
	284	}
	285
99b2191e	286	sub dump_these {
	287	my $c = shift;
	288
	289	(
	290	$c->NEXT::dump_these(),
	291
	292	$c->sessionid
	293	? ( [ "Session ID" => $c->sessionid ], [ Session => $c->session ], )
	294	: ()
	295	);
	296	}
	297
9e447f9d	298	__PACKAGE__;
	299
	300	__END__
	301
	302	=pod
	303
	304	=head1 NAME
	305
	306	Catalyst::Plugin::Session - Generic Session plugin - ties together server side
fb1a4ac3	307	storage and client side state required to maintain session data.
9e447f9d	308
	309	=head1 SYNOPSIS
	310
8f0b4c16	311	# To get sessions to "just work", all you need to do is use these plugins:
	312
	313	use Catalyst qw/
	314	Session
	315	Session::Store::FastMmap
	316	Session::State::Cookie
	317	/;
	318
	319	# you can replace Store::FastMmap with Store::File - both have sensible
	320	# default configurations (see their docs for details)
	321
	322	# more complicated backends are available for other scenarios (DBI storage,
	323	# etc)
	324
	325
	326	# after you've loaded the plugins you can save session data
	327	# For example, if you are writing a shopping cart, it could be implemented
	328	# like this:
9e447f9d	329
229a5b53	330	sub add_item : Local {
	331	my ( $self, $c ) = @_;
	332
	333	my $item_id = $c->req->param("item");
	334
8f0b4c16	335	# $c->session is a hash ref, a bit like $c->stash
8f0b4c16	336	# the difference is that it' preserved across requests
229a5b53	337
	338	push @{ $c->session->{items} }, $item_id;
	339
	340	$c->forward("MyView");
	341	}
	342
	343	sub display_items : Local {
	344	my ( $self, $c ) = @_;
	345
	346	# values in $c->session are restored
	347	$c->stash->{items_to_display} =
8f0b4c16	348	[ map { MyModel->retrieve($_) } @{ $c->session->{items} } ];
229a5b53	349
	350	$c->forward("MyView");
	351	}
	352
9e447f9d	353	=head1 DESCRIPTION
	354
	355	The Session plugin is the base of two related parts of functionality required
	356	for session management in web applications.
	357
	358	The first part, the State, is getting the browser to repeat back a session key,
	359	so that the web application can identify the client and logically string
	360	several requests together into a session.
	361
	362	The second part, the Store, deals with the actual storage of information about
	363	the client. This data is stored so that the it may be revived for every request
	364	made by the same client.
	365
	366	This plugin links the two pieces together.
	367
8f0b4c16	368	=head1 RECCOMENDED BACKENDS
	369
	370	=over 4
	371
	372	=item Session::State::Cookie
	373
	374	The only really sane way to do state is using cookies.
	375
	376	=item Session::Store::File
	377
	378	A portable backend, based on Cache::File.
	379
	380	=item Session::Store::FastMmap
	381
	382	A fast and flexible backend, based on Cache::FastMmap.
	383
	384	=back
	385
9e447f9d	386	=head1 METHODS
	387
	388	=over 4
	389
	390	=item sessionid
	391
	392	An accessor for the session ID value.
	393
	394	=item session
	395
	396	Returns a hash reference that might contain unserialized values from previous
	397	requests in the same session, and whose modified value will be saved for future
	398	requests.
	399
	400	This method will automatically create a new session and session ID if none
	401	exists.
	402
07e714d2	403	=item flash
	404
	405	This is like Ruby on Rails' flash data structure. Think of it as a stash that
	406	lasts a single redirect, not only a forward.
	407
	408	sub moose : Local {
	409	my ( $self, $c ) = @_;
	410
	411	$c->flash->{beans} = 10;
	412	$c->response->redirect( $c->uri_for("foo") );
	413	}
	414
	415	sub foo : Local {
	416	my ( $self, $c ) = @_;
	417
	418	my $value = $c->flash->{beans};
	419
	420	# ...
	421
	422	$c->response->redirect( $c->uri_for("bar") );
	423	}
	424
	425	sub bar : Local {
	426	my ( $self, $c ) = @_;
	427
	428	if ( exists $c->flash->{beans} ) { # false
	429
	430	}
	431	}
	432
9e447f9d	433	=item session_delete_reason
	434
	435	This accessor contains a string with the reason a session was deleted. Possible
	436	values include:
	437
	438	=over 4
	439
	440	=item *
	441
	442	C<address mismatch>
	443
	444	=item *
	445
	446	C<session expired>
	447
	448	=back
	449
b7acf64e	450	=item session_expire_key $key, $ttl
	451
	452	Mark a key to expire at a certain time (only useful when shorter than the
	453	expiry time for the whole session).
	454
	455	For example:
	456
	457	__PACKAGE__->config->{session}{expires} = 1000000000000; # forever
	458
	459	# later
	460
	461	$c->session_expire_key( __user => 3600 );
	462
	463	Will make the session data survive, but the user will still be logged out after
	464	an hour.
	465
	466	Note that these values are not auto extended.
	467
8f0b4c16	468	=back
	469
	470	=item INTERNAL METHODS
	471
	472	=over 4
	473
9e447f9d	474	=item setup
	475
	476	This method is extended to also make calls to
	477	C<check_session_plugin_requirements> and C<setup_session>.
	478
	479	=item check_session_plugin_requirements
	480
	481	This method ensures that a State and a Store plugin are also in use by the
	482	application.
	483
	484	=item setup_session
	485
	486	This method populates C<< $c->config->{session} >> with the default values
	487	listed in L</CONFIGURATION>.
	488
	489	=item prepare_action
	490
	491	This methoid is extended, and will restore session data and check it for
	492	validity if a session id is defined. It assumes that the State plugin will
	493	populate the C<sessionid> key beforehand.
	494
	495	=item finalize
	496
	497	This method is extended and will extend the expiry time, as well as persist the
	498	session data if a session exists.
	499
	500	=item delete_session REASON
	501
	502	This method is used to invalidate a session. It takes an optional parameter
	503	which will be saved in C<session_delete_reason> if provided.
	504
	505	=item initialize_session_data
	506
	507	This method will initialize the internal structure of the session, and is
	508	called by the C<session> method if appropriate.
	509
229a5b53	510	=item generate_session_id
	511
	512	This method will return a string that can be used as a session ID. It is
	513	supposed to be a reasonably random string with enough bits to prevent
	514	collision. It basically takes C<session_hash_seed> and hashes it using SHA-1,
	515	MD5 or SHA-256, depending on the availibility of these modules.
	516
	517	=item session_hash_seed
	518
	519	This method is actually rather internal to generate_session_id, but should be
	520	overridable in case you want to provide more random data.
	521
	522	Currently it returns a concatenated string which contains:
	523
0974ac06	524	=item validate_session_id SID
	525
	526	Make sure a session ID is of the right format.
	527
	528	This currently ensures that the session ID string is any amount of case
	529	insensitive hexadecimal characters.
	530
229a5b53	531	=over 4
	532
	533	=item *
	534
	535	A counter
	536
	537	=item *
	538
	539	The current time
	540
	541	=item *
	542
	543	One value from C<rand>.
	544
	545	=item *
	546
	547	The stringified value of a newly allocated hash reference
	548
	549	=item *
	550
	551	The stringified value of the Catalyst context object
	552
	553	=back
	554
	555	In the hopes that those combined values are entropic enough for most uses. If
	556	this is not the case you can replace C<session_hash_seed> with e.g.
	557
	558	sub session_hash_seed {
	559	open my $fh, "<", "/dev/random";
	560	read $fh, my $bytes, 20;
	561	close $fh;
	562	return $bytes;
	563	}
	564
	565	Or even more directly, replace C<generate_session_id>:
	566
	567	sub generate_session_id {
	568	open my $fh, "<", "/dev/random";
	569	read $fh, my $bytes, 20;
	570	close $fh;
	571	return unpack("H*", $bytes);
	572	}
	573
	574	Also have a look at L<Crypt::Random> and the various openssl bindings - these
	575	modules provide APIs for cryptographically secure random data.
	576
99b2191e	577	=item dump_these
	578
	579	See L<Catalyst/dump_these> - ammends the session data structure to the list of
	580	dumped objects if session ID is defined.
	581
9e447f9d	582	=back
9e447f9d	583
a92c8aeb	584	=head1 USING SESSIONS DURING PREPARE
	585
	586	The earliest point in time at which you may use the session data is after
	587	L<Catalyst::Plugin::Session>'s C<prepare_action> has finished.
	588
	589	State plugins must set $c->session ID before C<prepare_action>, and during
	590	C<prepare_action> L<Catalyst::Plugin::Session> will actually load the data from
	591	the store.
	592
	593	sub prepare_action {
	594	my $c = shift;
	595
	596	# don't touch $c->session yet!
b1cd7d77	597
a92c8aeb	598	$c->NEXT::prepare_action( @_ );
	599
	600	$c->session; # this is OK
	601	$c->sessionid; # this is also OK
	602	}
	603
9e447f9d	604	=head1 CONFIGURATION
9e447f9d	605
229a5b53	606	$c->config->{session} = {
	607	expires => 1234,
	608	};
9e447f9d	609
	610	All configuation parameters are provided in a hash reference under the
	611	C<session> key in the configuration hash.
	612
	613	=over 4
	614
	615	=item expires
	616
	617	The time-to-live of each session, expressed in seconds. Defaults to 7200 (two
	618	hours).
	619
	620	=item verify_address
	621
8c7e922c	622	When true, C<<$c->request->address>> will be checked at prepare time. If it is
8c7e922c	623	not the same as the address that initiated the session, the session is deleted.
9e447f9d	624
	625	=back
	626
	627	=head1 SPECIAL KEYS
	628
	629	The hash reference returned by C<< $c->session >> contains several keys which
	630	are automatically set:
	631
	632	=over 4
	633
	634	=item __expires
	635
	636	A timestamp whose value is the last second when the session is still valid. If
	637	a session is restored, and __expires is less than the current time, the session
	638	is deleted.
	639
	640	=item __updated
	641
	642	The last time a session was saved. This is the value of
0974ac06	643	C<< $c->session->{__expires} - $c->config->session->{expires} >>.
9e447f9d	644
	645	=item __created
	646
	647	The time when the session was first created.
	648
	649	=item __address
	650
	651	The value of C<< $c->request->address >> at the time the session was created.
8c7e922c	652	This value is only populated if C<verify_address> is true in the configuration.
9e447f9d	653
	654	=back
	655
c80e9f04	656	=head1 CAVEATS
c80e9f04	657
a552e4b5	658	=head2 Round the Robin Proxies
a552e4b5	659
c80e9f04	660	C<verify_address> could make your site inaccessible to users who are behind
	661	load balanced proxies. Some ISPs may give a different IP to each request by the
	662	same client due to this type of proxying. If addresses are verified these
	663	users' sessions cannot persist.
	664
	665	To let these users access your site you can either disable address verification
	666	as a whole, or provide a checkbox in the login dialog that tells the server
	667	that it's OK for the address of the client to change. When the server sees that
	668	this box is checked it should delete the C<__address> sepcial key from the
	669	session hash when the hash is first created.
	670
a552e4b5	671	=head2 Race Conditions
	672
	673	In this day and age where cleaning detergents and dutch football (not the
	674	american kind) teams roam the plains in great numbers, requests may happen
	675	simultaneously. This means that there is some risk of session data being
	676	overwritten, like this:
	677
	678	=over 4
	679
	680	=item 1.
	681
	682	request a starts, request b starts, with the same session id
	683
	684	=item 2.
	685
	686	session data is loaded in request a
	687
	688	=item 3.
	689
	690	session data is loaded in request b
	691
	692	=item 4.
	693
	694	session data is changed in request a
	695
	696	=item 5.
	697
	698	request a finishes, session data is updated and written to store
	699
	700	=item 6.
	701
	702	request b finishes, session data is updated and written to store, overwriting
	703	changes by request a
	704
	705	=back
	706
	707	If this is a concern in your application, a soon to be developed locking
	708	solution is the only safe way to go. This will have a bigger overhead.
	709
	710	For applications where any given user is only making one request at a time this
	711	plugin should be safe enough.
	712
d45028d6	713	=head1 AUTHORS
d45028d6	714
baa9db9c	715	=over 4
	716
	717	=item Andy Grundman
	718
	719	=item Christian Hansen
	720
	721	=item Yuval Kogman, C<nothingmuch@woobling.org> (current maintainer)
	722
	723	=item Sebastian Riedel
	724
	725	=back
	726
	727	And countless other contributers from #catalyst. Thanks guys!
d45028d6	728
cc40ae4b	729	=head1 COPYRIGHT & LICENSE
d45028d6	730
	731	Copyright (c) 2005 the aforementioned authors. All rights
	732	reserved. This program is free software; you can redistribute
	733	it and/or modify it under the same terms as Perl itself.
	734
9e447f9d	735	=cut
	736
	737