#!/usr/bin/perl
package Catalyst::Plugin::Session;
-use base qw/Class::Accessor::Fast/;
-
-use strict;
-use warnings;
+use Moose;
+with 'MooseX::Emulate::Class::Accessor::Fast';
use MRO::Compat;
use Catalyst::Exception ();
use Digest ();
use Object::Signature ();
use Carp;
-our $VERSION = '0.20';
+use namespace::clean -except => 'meta';
+
+our $VERSION = '0.24';
my @session_data_accessors; # used in delete_session
-BEGIN {
- __PACKAGE__->mk_accessors(
+
+__PACKAGE__->mk_accessors(
"_session_delete_reason",
@session_data_accessors = qw/
_sessionid
_tried_loading_session_expires
_tried_loading_flash_data
/
- );
-}
+);
+
sub setup {
my $c = shift;
%$cfg = (
expires => 7200,
verify_address => 0,
+ verify_user_agent => 0,
%$cfg,
);
$c->delete_session("address mismatch");
return;
}
+ if ( $c->config->{session}{verify_user_agent}
+ && $session_data->{__user_agent} ne $c->request->user_agent )
+ {
+ $c->log->warn(
+ "Deleting session $sid due to user agent mismatch ("
+ . $session_data->{__user_agent} . " != "
+ . $c->request->user_agent . ")"
+ );
+ $c->delete_session("user agent mismatch");
+ return;
+ }
$c->log->debug(qq/Restored session "$sid"/) if $c->debug;
$c->_session_data_sig( Object::Signature::signature($session_data) ) if $session_data;
(
$c->config->{session}{verify_address}
- ? ( __address => $c->request->address )
+ ? ( __address => $c->request->address||'' )
+ : ()
+ ),
+ (
+ $c->config->{session}{verify_user_agent}
+ ? ( __user_agent => $c->request->user_agent||'' )
: ()
),
}
Defaults to false.
+=item verify_user_agent
+
+When true, C<<$c->request->user_agent>> will be checked at prepare time. If it
+is not the same as the user agent that initiated the session, the session is
+deleted.
+
+Defaults to false.
+
=item flash_to_stash
This option makes it easier to have actions behave the same whether they were
The value of C<< $c->request->address >> at the time the session was created.
This value is only populated if C<verify_address> is true in the configuration.
+=item __user_agent
+
+The value of C<< $c->request->user_agent >> at the time the session was created.
+This value is only populated if C<verify_user_agent> is true in the configuration.
+
=back
=head1 CAVEATS