use Plack::Util::Accessor qw[
session_key
sid_generator
+ sid_validator
];
sub new {
$params{'sid_generator'} ||= sub {
Digest::SHA1::sha1_hex(rand() . $$ . {} . time)
};
+ $params{'sid_validator'} ||= qr/\A[0-9a-f]{40}\Z/;
bless { %params } => $class;
}
sub check_expired {
my ($self, $id) = @_;
- return unless $id && not $self->is_session_expired( $id );
+ return if $self->is_session_expired( $id );
return $id;
}
+sub validate_session_id {
+ my ($self, $id) = @_;
+ $id =~ $self->sid_validator;
+}
+
sub get_session_id {
my ($self, $request) = @_;
$self->extract( $request )
$self->generate( $request )
}
+sub get_session_id_from_request {
+ my ($self, $request) = @_;
+ $request->param( $self->session_key );
+}
+
sub extract {
my ($self, $request) = @_;
- $self->check_expired( $request->param( $self->session_key ) );
+
+ my $id = $self->get_session_id_from_request( $request );
+ return unless defined $id;
+
+ $self->validate_session_id( $id )
+ &&
+ $self->check_expired( $id );
}
sub generate {
=item B<new ( %params )>
-The C<%params> can include I<session_key> and I<sid_generator>,
+The C<%params> can include I<session_key>, I<sid_generator> and I<sid_checker>
however in both cases a default will be provided for you.
=item B<session_key>
it will generate a SHA1 using fairly sufficient entropy. If you are
concerned or interested, just read the source.
+=item B<sid_validator>
+
+This is a regex used to validate requested session id.
+
=back
=head2 Session ID Managment
session. The C<$request> is expected to be a L<Plack::Request> instance
or an object with an equivalent interface.
+=item B<get_session_id_from_request ( $request )>
+
+This is the method used to extract the session id from a C<$request>.
+Subclasses will often only need to override this method and the
+C<finalize> method.
+
+=item B<validate_session_id ( $session_id )>
+
+This will use the C<sid_validator> regex and confirm that the
+C<$session_id> is valid.
+
=item B<extract ( $request )>
This will attempt to extract the session from a C<$request> by looking
for the C<session_key> in the C<$request> params. It will then check to
-see if the session has expired and return the session id if it is not.
-The C<$request> is expected to be a L<Plack::Request> instance or an
-object with an equivalent interface.
+see if the session is valid and that it has not expired. It will return
+the session id if everything is good or undef otherwise. The C<$request>
+is expected to be a L<Plack::Request> instance or an object with an
+equivalent interface.
=item B<generate ( $request )>