adding the validation step into the docs

[catagits/Web-Session.git] / lib / Plack / Session / State.pm

diff --git a/lib/Plack/Session/State.pm b/lib/Plack/Session/State.pm
index 10a1368..bca98ec 100644 (file)
--- a/lib/Plack/Session/State.pm
+++ b/lib/Plack/Session/State.pm
@@ -7,6 +7,7 @@ use Digest::SHA1 ();
 use Plack::Util::Accessor qw[
     session_key
     sid_generator
+    sid_validator
 ];
 
 sub new {
@@ -17,6 +18,7 @@ sub new {
     $params{'sid_generator'} ||= sub {
         Digest::SHA1::sha1_hex(rand() . $$ . {} . time)
     };
+    $params{'sid_validator'} ||= qr/\A[0-9a-f]{40}\Z/;
 
     bless { %params } => $class;
 }
@@ -33,10 +35,15 @@ sub is_session_expired {
 
 sub check_expired {
     my ($self, $id) = @_;
-    return unless $id && not $self->is_session_expired( $id );
+    return if $self->is_session_expired( $id );
     return $id;
 }
 
+sub validate_session_id {
+    my ($self, $id) = @_;
+    $id =~ $self->sid_validator;
+}
+
 sub get_session_id {
     my ($self, $request) = @_;
     $self->extract( $request )
@@ -44,9 +51,20 @@ sub get_session_id {
     $self->generate( $request )
 }
 
+sub get_session_id_from_request {
+    my ($self, $request) = @_;
+    $request->param( $self->session_key );
+}
+
 sub extract {
     my ($self, $request) = @_;
-    $self->check_expired( $request->param( $self->session_key ) );
+
+    my $id = $self->get_session_id_from_request( $request );
+    return unless defined $id;
+
+    $self->validate_session_id( $id )
+        &&
+    $self->check_expired( $id );
 }
 
 sub generate {
@@ -104,7 +122,7 @@ L<Plack::Session::State::Cookie> for an example of this.
 
 =item B<new ( %params )>
 
-The C<%params> can include I<session_key> and I<sid_generator>,
+The C<%params> can include I<session_key>, I<sid_generator> and I<sid_checker>
 however in both cases a default will be provided for you.
 
 =item B<session_key>
@@ -117,6 +135,10 @@ This is a CODE ref used to generate unique session ids, by default
 it will generate a SHA1 using fairly sufficient entropy. If you are
 concerned or interested, just read the source.
 
+=item B<sid_validator>
+
+This is a regex used to validate requested session id.
+
 =back
 
 =head2 Session ID Managment
@@ -130,13 +152,25 @@ if the is expired or does not exist, it will then generate a new
 session. The C<$request> is expected to be a L<Plack::Request> instance
 or an object with an equivalent interface.
 
+=item B<get_session_id_from_request ( $request )>
+
+This is the method used to extract the session id from a C<$request>.
+Subclasses will often only need to override this method and the
+C<finalize> method.
+
+=item B<validate_session_id ( $session_id )>
+
+This will use the C<sid_validator> regex and confirm that the
+C<$session_id> is valid.
+
 =item B<extract ( $request )>
 
 This will attempt to extract the session from a C<$request> by looking
 for the C<session_key> in the C<$request> params. It will then check to
-see if the session has expired and return the session id if it is not.
-The C<$request> is expected to be a L<Plack::Request> instance or an
-object with an equivalent interface.
+see if the session is valid and that it has not expired. It will return
+the session id if everything is good or undef otherwise. The C<$request>
+is expected to be a L<Plack::Request> instance or an object with an
+equivalent interface.
 
 =item B<generate ( $request )>