#!/usr/bin/perl
package Catalyst::Plugin::Session;
-use base qw/Class::Accessor::Fast/;
-use strict;
-use warnings;
-
-use NEXT;
+use Moose;
+with 'MooseX::Emulate::Class::Accessor::Fast';
+use MRO::Compat;
use Catalyst::Exception ();
use Digest ();
use overload ();
use Object::Signature ();
use Carp;
-our $VERSION = '0.20';
+use namespace::clean -except => 'meta';
+
+our $VERSION = '0.23';
my @session_data_accessors; # used in delete_session
-BEGIN {
- __PACKAGE__->mk_accessors(
+
+__PACKAGE__->mk_accessors(
"_session_delete_reason",
@session_data_accessors = qw/
_sessionid
_tried_loading_session_expires
_tried_loading_flash_data
/
- );
-}
+);
+
sub setup {
my $c = shift;
- $c->NEXT::setup(@_);
+ $c->maybe::next::method(@_);
$c->check_session_plugin_requirements;
$c->setup_session;
%$cfg = (
expires => 7200,
verify_address => 0,
+ verify_user_agent => 0,
%$cfg,
);
- $c->NEXT::setup_session();
+ $c->maybe::next::method();
}
sub prepare_action {
@{ $c->stash }{ keys %$flash_data } = values %$flash_data;
}
- $c->NEXT::prepare_action(@_);
+ $c->maybe::next::method(@_);
}
sub finalize_headers {
# fix cookie before we send headers
$c->_save_session_expires;
- return $c->NEXT::finalize_headers(@_);
+ return $c->maybe::next::method(@_);
}
-sub finalize {
+sub finalize_body {
my $c = shift;
- my $ret = $c->NEXT::finalize(@_);
- # then finish the rest
+ # We have to finalize our session *before* $c->engine->finalize_xxx is called,
+ # because we do not want to send the HTTP response before the session is stored/committed to
+ # the session database (or whatever Session::Store you use).
$c->finalize_session;
- return $ret;
+
+ return $c->maybe::next::method(@_);
}
sub finalize_session {
my $c = shift;
- $c->NEXT::finalize_session;
+ $c->maybe::next::method(@_);
$c->_save_session_id;
$c->_save_session;
$c->delete_session("address mismatch");
return;
}
+ if ( $c->config->{session}{verify_user_agent}
+ && $session_data->{__user_agent} ne $c->request->user_agent )
+ {
+ $c->log->warn(
+ "Deleting session $sid due to user agent mismatch ("
+ . $session_data->{__user_agent} . " != "
+ . $c->request->user_agent . ")"
+ );
+ $c->delete_session("user agent mismatch");
+ return;
+ }
$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
$c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
sub _clear_session_instance_data {
my $c = shift;
$c->$_(undef) for @session_data_accessors;
- $c->NEXT::_clear_session_instance_data; # allow other plugins to hook in on this
+ $c->maybe::next::method(@_); # allow other plugins to hook in on this
}
sub delete_session {
? ( __address => $c->request->address )
: ()
),
+ (
+ $c->config->{session}{verify_user_agent}
+ ? ( __user_agent => $c->request->user_agent )
+ : ()
+ ),
}
);
}
my $c = shift;
(
- $c->NEXT::dump_these(),
+ $c->maybe::next::method(),
$c->sessionid
? ( [ "Session ID" => $c->sessionid ], [ Session => $c->session ], )
}
-sub get_session_id { shift->NEXT::get_session_id(@_) }
-sub set_session_id { shift->NEXT::set_session_id(@_) }
-sub delete_session_id { shift->NEXT::delete_session_id(@_) }
-sub extend_session_id { shift->NEXT::extend_session_id(@_) }
+sub get_session_id { shift->maybe::next::method(@_) }
+sub set_session_id { shift->maybe::next::method(@_) }
+sub delete_session_id { shift->maybe::next::method(@_) }
+sub extend_session_id { shift->maybe::next::method(@_) }
__PACKAGE__;
This method is extended and will extend the expiry time before sending
the response.
-=item finalize
+=item finalize_body
-This method is extended and will call finalize_session after the other
-finalizes run. Here we persist the session data if a session exists.
+This method is extended and will call finalize_session before the other
+finalize_body methods run. Here we persist the session data if a session exists.
=item initialize_session_data
Defaults to false.
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is
+deleted.
+
+Defaults to false.
+
=item flash_to_stash
This option makes it easier to have actions behave the same whether they were
The value of C<< $c->request->address >> at the time the session was created.
This value is only populated if C<verify_address> is true in the configuration.
+=item __user_agent
+
+The value of C<< $c->request->user_agent >> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
=back
=head1 CAVEATS
Christian Hansen
-Yuval Kogman, C<nothingmuch@woobling.org> (current maintainer)
+Yuval Kogman, C<nothingmuch@woobling.org>
Sebastian Riedel
+Tomas Doran (t0m) C<bobtfish@bobtfish.net> (current maintainer)
+
+Sergio Salvi
+
And countless other contributers from #catalyst. Thanks guys!
=head1 COPYRIGHT & LICENSE
projects / catagits/Catalyst-Plugin-Session.git / blobdiff