3 package Catalyst::Plugin::Session;
4 use base qw/Class::Accessor::Fast/;
10 use Catalyst::Exception ();
14 our $VERSION = "0.02";
17 __PACKAGE__->mk_accessors(qw/_sessionid _session _session_delete_reason/);
25 $c->check_session_plugin_requirements;
31 sub check_session_plugin_requirements {
34 unless ( $c->isa("Catalyst::Plugin::Session::State")
35 && $c->isa("Catalyst::Plugin::Session::Store") )
38 ( "The Session plugin requires both Session::State "
39 . "and Session::Store plugins to be used as well." );
42 Catalyst::Exception->throw($err);
49 my $cfg = ( $c->config->{session} ||= {} );
57 $c->NEXT::setup_session();
63 if ( my $session_data = $c->_session ) {
65 # all sessions are extended at the end of the request
67 @{ $session_data }{qw/__updated __expires/} =
68 ( $now, $c->config->{session}{expires} + $now );
69 delete @{ $session_data->{__flash} }{ @{ delete $session_data->{__flash_stale_keys} || [] } };
70 $c->store_session_data( $c->sessionid, $session_data );
73 $c->NEXT::finalize(@_);
79 if ( my $sid = $c->_sessionid ) {
80 no warnings 'uninitialized'; # ne __address
82 my $session_data = $c->_session || $c->_session( $c->get_session_data($sid) );
83 if ( !$session_data or $session_data->{__expires} < time ) {
86 $c->log->debug("Deleting session $sid (expired)") if $c->debug;
87 $c->delete_session("session expired");
89 elsif ($c->config->{session}{verify_address}
90 && $session_data->{__address} ne $c->request->address )
93 "Deleting session $sid due to address mismatch ("
94 . $session_data->{__address} . " != "
95 . $c->request->address . ")",
97 $c->delete_session("address mismatch");
100 $c->log->debug(qq/Restored session "$sid"/) if $c->debug;
103 $c->_expire_ession_keys;
104 $session_data->{__flash_stale_keys} = [ keys %{ $session_data->{__flash} } ];
106 return $session_data;
112 sub _expire_ession_keys {
113 my ( $c, $data ) = @_;
117 my $expiry = ($data || $c->_session || {})->{__expire_keys} || {};
118 foreach my $key (grep { $expiry->{$_} < $now } keys %$expiry ) {
119 delete $c->_session->{$key};
120 delete $expiry->{$key};
125 my ( $c, $msg ) = @_;
127 # delete the session data
128 my $sid = $c->_sessionid || return;
129 $c->delete_session_data($sid);
131 # reset the values in the context object
133 $c->_sessionid(undef);
134 $c->_session_delete_reason($msg);
137 sub session_delete_reason {
140 $c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data
142 $c->_session_delete_reason( @_ );
149 if ( $c->validate_session_id( my $sid = shift ) ) {
150 $c->_sessionid( $sid );
151 return unless defined wantarray;
153 my $err = "Tried to set invalid session ID '$sid'";
154 $c->log->error( $err );
155 Catalyst::Exception->throw( $err );
159 $c->_load_session if ( $c->_sessionid && !$c->_session ); # must verify session data
161 return $c->_sessionid;
164 sub validate_session_id {
165 my ( $c, $sid ) = @_;
167 $sid =~ /^[a-f\d]+$/i;
173 $c->_session || $c->_load_session || do {
174 my $sid = $c->generate_session_id;
177 $c->log->debug(qq/Created session "$sid"/) if $c->debug;
179 $c->initialize_session_data;
185 return $c->session->{__flash} ||= {};
188 sub session_expire_key {
189 my ( $c, %keys ) = @_;
192 @{ $c->session->{__expire_keys} }{keys %keys} = map { $now + $_ } values %keys;
195 sub initialize_session_data {
200 return $c->_session({
203 __expires => $now + $c->config->{session}{expires},
206 $c->config->{session}{verify_address}
207 ? ( __address => $c->request->address )
213 sub generate_session_id {
216 my $digest = $c->_find_digest();
217 $digest->add( $c->session_hash_seed() );
218 return $digest->hexdigest;
223 sub session_hash_seed {
226 return join( "", ++$counter, time, rand, $$, {}, overload::StrVal($c), );
231 sub _find_digest () {
233 foreach my $alg (qw/SHA-1 MD5 SHA-256/) {
235 my $obj = Digest->new($alg);
241 or Catalyst::Exception->throw(
242 "Could not find a suitable Digest module. Please install "
243 . "Digest::SHA1, Digest::SHA, or Digest::MD5" );
246 return Digest->new($usable);
253 $c->NEXT::dump_these(),
256 ? ( [ "Session ID" => $c->sessionid ], [ Session => $c->session ], )
269 Catalyst::Plugin::Session - Generic Session plugin - ties together server side
270 storage and client side state required to maintain session data.
274 # To get sessions to "just work", all you need to do is use these plugins:
278 Session::Store::FastMmap
279 Session::State::Cookie
282 # you can replace Store::FastMmap with Store::File - both have sensible
283 # default configurations (see their docs for details)
285 # more complicated backends are available for other scenarios (DBI storage,
289 # after you've loaded the plugins you can save session data
290 # For example, if you are writing a shopping cart, it could be implemented
293 sub add_item : Local {
294 my ( $self, $c ) = @_;
296 my $item_id = $c->req->param("item");
298 # $c->session is a hash ref, a bit like $c->stash
299 # the difference is that it' preserved across requests
301 push @{ $c->session->{items} }, $item_id;
303 $c->forward("MyView");
306 sub display_items : Local {
307 my ( $self, $c ) = @_;
309 # values in $c->session are restored
310 $c->stash->{items_to_display} =
311 [ map { MyModel->retrieve($_) } @{ $c->session->{items} } ];
313 $c->forward("MyView");
318 The Session plugin is the base of two related parts of functionality required
319 for session management in web applications.
321 The first part, the State, is getting the browser to repeat back a session key,
322 so that the web application can identify the client and logically string
323 several requests together into a session.
325 The second part, the Store, deals with the actual storage of information about
326 the client. This data is stored so that the it may be revived for every request
327 made by the same client.
329 This plugin links the two pieces together.
331 =head1 RECCOMENDED BACKENDS
335 =item Session::State::Cookie
337 The only really sane way to do state is using cookies.
339 =item Session::Store::File
341 A portable backend, based on Cache::File.
343 =item Session::Store::FastMmap
345 A fast and flexible backend, based on Cache::FastMmap.
355 An accessor for the session ID value.
359 Returns a hash reference that might contain unserialized values from previous
360 requests in the same session, and whose modified value will be saved for future
363 This method will automatically create a new session and session ID if none
366 =item session_delete_reason
368 This accessor contains a string with the reason a session was deleted. Possible
383 =item session_expire_key $key, $ttl
385 Mark a key to expire at a certain time (only useful when shorter than the
386 expiry time for the whole session).
390 __PACKAGE__->config->{session}{expires} = 1000000000000; # forever
394 $c->session_expire_key( __user => 3600 );
396 Will make the session data survive, but the user will still be logged out after
399 Note that these values are not auto extended.
403 =item INTERNAL METHODS
409 This method is extended to also make calls to
410 C<check_session_plugin_requirements> and C<setup_session>.
412 =item check_session_plugin_requirements
414 This method ensures that a State and a Store plugin are also in use by the
419 This method populates C<< $c->config->{session} >> with the default values
420 listed in L</CONFIGURATION>.
424 This methoid is extended, and will restore session data and check it for
425 validity if a session id is defined. It assumes that the State plugin will
426 populate the C<sessionid> key beforehand.
430 This method is extended and will extend the expiry time, as well as persist the
431 session data if a session exists.
433 =item delete_session REASON
435 This method is used to invalidate a session. It takes an optional parameter
436 which will be saved in C<session_delete_reason> if provided.
438 =item initialize_session_data
440 This method will initialize the internal structure of the session, and is
441 called by the C<session> method if appropriate.
443 =item generate_session_id
445 This method will return a string that can be used as a session ID. It is
446 supposed to be a reasonably random string with enough bits to prevent
447 collision. It basically takes C<session_hash_seed> and hashes it using SHA-1,
448 MD5 or SHA-256, depending on the availibility of these modules.
450 =item session_hash_seed
452 This method is actually rather internal to generate_session_id, but should be
453 overridable in case you want to provide more random data.
455 Currently it returns a concatenated string which contains:
457 =item validate_session_id SID
459 Make sure a session ID is of the right format.
461 This currently ensures that the session ID string is any amount of case
462 insensitive hexadecimal characters.
476 One value from C<rand>.
480 The stringified value of a newly allocated hash reference
484 The stringified value of the Catalyst context object
488 In the hopes that those combined values are entropic enough for most uses. If
489 this is not the case you can replace C<session_hash_seed> with e.g.
491 sub session_hash_seed {
492 open my $fh, "<", "/dev/random";
493 read $fh, my $bytes, 20;
498 Or even more directly, replace C<generate_session_id>:
500 sub generate_session_id {
501 open my $fh, "<", "/dev/random";
502 read $fh, my $bytes, 20;
504 return unpack("H*", $bytes);
507 Also have a look at L<Crypt::Random> and the various openssl bindings - these
508 modules provide APIs for cryptographically secure random data.
512 See L<Catalyst/dump_these> - ammends the session data structure to the list of
513 dumped objects if session ID is defined.
517 =head1 USING SESSIONS DURING PREPARE
519 The earliest point in time at which you may use the session data is after
520 L<Catalyst::Plugin::Session>'s C<prepare_action> has finished.
522 State plugins must set $c->session ID before C<prepare_action>, and during
523 C<prepare_action> L<Catalyst::Plugin::Session> will actually load the data from
529 # don't touch $c->session yet!
531 $c->NEXT::prepare_action( @_ );
533 $c->session; # this is OK
534 $c->sessionid; # this is also OK
539 $c->config->{session} = {
543 All configuation parameters are provided in a hash reference under the
544 C<session> key in the configuration hash.
550 The time-to-live of each session, expressed in seconds. Defaults to 7200 (two
555 When true, C<<$c->request->address>> will be checked at prepare time. If it is
556 not the same as the address that initiated the session, the session is deleted.
562 The hash reference returned by C<< $c->session >> contains several keys which
563 are automatically set:
569 A timestamp whose value is the last second when the session is still valid. If
570 a session is restored, and __expires is less than the current time, the session
575 The last time a session was saved. This is the value of
576 C<< $c->session->{__expires} - $c->config->session->{expires} >>.
580 The time when the session was first created.
584 The value of C<< $c->request->address >> at the time the session was created.
585 This value is only populated if C<verify_address> is true in the configuration.
591 =head2 Round the Robin Proxies
593 C<verify_address> could make your site inaccessible to users who are behind
594 load balanced proxies. Some ISPs may give a different IP to each request by the
595 same client due to this type of proxying. If addresses are verified these
596 users' sessions cannot persist.
598 To let these users access your site you can either disable address verification
599 as a whole, or provide a checkbox in the login dialog that tells the server
600 that it's OK for the address of the client to change. When the server sees that
601 this box is checked it should delete the C<__address> sepcial key from the
602 session hash when the hash is first created.
604 =head2 Race Conditions
606 In this day and age where cleaning detergents and dutch football (not the
607 american kind) teams roam the plains in great numbers, requests may happen
608 simultaneously. This means that there is some risk of session data being
609 overwritten, like this:
615 request a starts, request b starts, with the same session id
619 session data is loaded in request a
623 session data is loaded in request b
627 session data is changed in request a
631 request a finishes, session data is updated and written to store
635 request b finishes, session data is updated and written to store, overwriting
640 If this is a concern in your application, a soon to be developed locking
641 solution is the only safe way to go. This will have a bigger overhead.
643 For applications where any given user is only making one request at a time this
644 plugin should be safe enough.
652 =item Christian Hansen
654 =item Yuval Kogman, C<nothingmuch@woobling.org> (current maintainer)
656 =item Sebastian Riedel
660 And countless other contributers from #catalyst. Thanks guys!
662 =head1 COPYRIGHT & LICENSE
664 Copyright (c) 2005 the aforementioned authors. All rights
665 reserved. This program is free software; you can redistribute
666 it and/or modify it under the same terms as Perl itself.