[catagits/Catalyst-Plugin-Session-State-Cookie.git] / lib / Catalyst / Plugin / Session / State / Cookie.pm

package Catalyst::Plugin::Session::State::Cookie;
use Moose;
use namespace::autoclean;

extends 'Catalyst::Plugin::Session::State';

use MRO::Compat;
use Catalyst::Utils ();

our $VERSION = "0.16";

has _deleted_session_id => ( is => 'rw' );

sub setup_session {
    my $c = shift;

    $c->maybe::next::method(@_);

    $c->_session_plugin_config->{cookie_name}
        ||= Catalyst::Utils::appprefix($c) . '_session';
}

sub extend_session_id {
    my ( $c, $sid, $expires ) = @_;

    if ( my $cookie = $c->get_session_cookie ) {
        $c->update_session_cookie( $c->make_session_cookie( $sid ) );
    }

    $c->maybe::next::method( $sid, $expires );
}

sub set_session_id {
    my ( $c, $sid ) = @_;

    $c->update_session_cookie( $c->make_session_cookie( $sid ) );

    return $c->maybe::next::method($sid);
}

sub update_session_cookie {
    my ( $c, $updated ) = @_;

    unless ( $c->cookie_is_rejecting( $updated ) ) {
        my $cookie_name = $c->_session_plugin_config->{cookie_name};
        $c->response->cookies->{$cookie_name} = $updated;
    }
}

sub cookie_is_rejecting {
    my ( $c, $cookie ) = @_;

    if ( $cookie->{path} ) {
        return 1 if index '/'.$c->request->path, $cookie->{path};
    }

    return 0;
}

sub make_session_cookie {
    my ( $c, $sid, %attrs ) = @_;

    my $cfg    = $c->_session_plugin_config;
    my $cookie = {
        value => $sid,
        ( $cfg->{cookie_domain} ? ( domain => $cfg->{cookie_domain} ) : () ),
        ( $cfg->{cookie_path} ? ( path => $cfg->{cookie_path} ) : () ),
        %attrs,
    };

    unless ( exists $cookie->{expires} ) {
        $cookie->{expires} = $c->calculate_session_cookie_expires();
    }

    #beware: we have to accept also the old syntax "cookie_secure = true"
    my $sec = $cfg->{cookie_secure} || 0; # default = 0 (not set)
    $cookie->{secure} = 1 unless ( ($sec==0) || ($sec==2) );
    $cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure );

    $cookie->{httponly} = $cfg->{cookie_httponly};
    $cookie->{httponly} = 1
        unless defined $cookie->{httponly}; # default = 1 (set httponly)

    return $cookie;
}

sub calc_expiry { # compat
    my $c = shift;
    $c->maybe::next::method( @_ ) || $c->calculate_session_cookie_expires( @_ );
}

sub calculate_session_cookie_expires {
    my $c   = shift;
    my $cfg = $c->_session_plugin_config;

    my $value = $c->maybe::next::method(@_);
    return $value if $value;

    if ( exists $cfg->{cookie_expires} ) {
        if ( $cfg->{cookie_expires} > 0 ) {
            return time() + $cfg->{cookie_expires};
        }
        else {
            return undef;
        }
    }
    else {
        return $c->session_expires;
    }
}

sub get_session_cookie {
    my $c = shift;

    my $cookie_name = $c->_session_plugin_config->{cookie_name};

    return $c->request->cookies->{$cookie_name};
}

sub get_session_id {
    my $c = shift;

    if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) {
        my $sid = $cookie->value;
        $c->log->debug(qq/Found sessionid "$sid" in cookie/) if $c->debug;
        return $sid if $sid;
    }

    $c->maybe::next::method(@_);
}

sub delete_session_id {
    my ( $c, $sid ) = @_;

    $c->_deleted_session_id(1); # to prevent get_session_id from returning it

    $c->update_session_cookie( $c->make_session_cookie( $sid, expires => 0 ) );

    $c->maybe::next::method($sid);
}

__PACKAGE__

__END__

=pod

=head1 NAME

Catalyst::Plugin::Session::State::Cookie - Maintain session IDs using cookies.

=head1 SYNOPSIS

    use Catalyst qw/Session Session::State::Cookie Session::Store::Foo/;

=head1 DESCRIPTION

In order for L<Catalyst::Plugin::Session> to work the session ID needs to be
stored on the client, and the session data needs to be stored on the server.

This plugin stores the session ID on the client using the cookie mechanism.

=head1 METHODS

=over 4

=item make_session_cookie

Returns a hash reference with the default values for new cookies.

=item update_session_cookie $hash_ref

Sets the cookie based on C<cookie_name> in the response object.

=item calc_expiry

=item calculate_session_cookie_expires

=item cookie_is_rejecting

=item delete_session_id

=item extend_session_id

=item get_session_cookie

=item get_session_id

=item set_session_id

=back

=head1 EXTENDED METHODS

=over 4

=item prepare_cookies

Will restore if an appropriate cookie is found.

=item finalize_cookies

Will set a cookie called C<session> if it doesn't exist or if its value is not
the current session id.

=item setup_session

Will set the C<cookie_name> parameter to its default value if it isn't set.

=back

=head1 CONFIGURATION

=over 4

=item cookie_name

The name of the cookie to store (defaults to C<Catalyst::Utils::apprefix($c) . '_session'>).

=item cookie_domain

The name of the domain to store in the cookie (defaults to current host)

=item cookie_expires

Number of seconds from now you want to elapse before cookie will expire.
Set to 0 to create a session cookie, ie one which will die when the
user's browser is shut down.

=item cookie_secure

If this attribute B<set to 0> the cookie will not have the secure flag.

If this attribute B<set to 1> (or true for backward compatibility) - the cookie
send by the server to the client will got the secure flag that tells the browser
to send this cookies back to the server only via HTTPS.

If this attribute B<set to 2> then the cookie will got the secure flag only if
the request that caused cookie generation was sent over https (this option is
not good if you are mixing https and http in you application).

Default vaule is 0.

=item cookie_httponly

If this attribute B<set to 0>, the cookie will not have HTTPOnly flag.

If this attribute B<set to 1>, the cookie will got HTTPOnly flag that should
prevent client side Javascript accessing the cookie value - this makes some
sort of session hijacking attacks significantly harder. Unfortunately not all
browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if
a browser is not aware of HTTPOnly the flag will be ignored.

Default value is 1.

Note1: Many peole are confused by the name "HTTPOnly" - it B<does not mean>
that this cookie works only over HTTP and not over HTTPS.

Note2: This paramater requires Catalyst::Runtime 5.80005 otherwise is skipped.

=item cookie_path

The path of the request url where cookie should be baked.

=back

For example, you could stick this in MyApp.pm:

  __PACKAGE__->config( 'Plugin::Session' => {
     cookie_domain  => '.mydomain.com',
  });

=head1 CAVEATS

Sessions have to be created before the first write to be saved. For example:

	sub action : Local {
		my ( $self, $c ) = @_;
		$c->res->write("foo");
		$c->session( ... );
		...
	}

Will cause a session ID to not be set, because by the time a session is
actually created the headers have already been sent to the client.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::Plugin::Session>.

=head1 AUTHORS

Yuval Kogman E<lt>nothingmuch@woobling.orgE<gt>

=head1 CONTRIBUTORS

This module is derived from L<Catalyst::Plugin::Session::FastMmap> code, and
has been heavily modified since.

  Andrew Ford
  Andy Grundman
  Christian Hansen
  Marcus Ramberg
  Jonathan Rockway E<lt>jrockway@cpan.orgE<gt>
  Sebastian Riedel
  Florian Ragwitz

=head1 COPYRIGHT

Copyright (c) 2005, Yuval Kogman C<< <nothingmuch@woobling.org> >>

=head1 LICENSE

This program is free software, you can redistribute it and/or modify it
under the same terms as Perl itself.

=cut

1;
Commit	Line	Data
1a776a0c	1	package Catalyst::Plugin::Session::State::Cookie;
679f4a58	2	use Moose;
679f4a58	3	use namespace::autoclean;
bf2bce67	4
679f4a58	5	extends 'Catalyst::Plugin::Session::State';
bf2bce67	6
45c96680	7	use MRO::Compat;
74586782	8	use Catalyst::Utils ();
bf2bce67	9
7c0b044c	10	our $VERSION = "0.16";
ea139a65	11
679f4a58	12	has _deleted_session_id => ( is => 'rw' );
81eb8ebf	13
5e50008f	14	sub setup_session {
20e33791	15	my $c = shift;
5e50008f	16
45c96680	17	$c->maybe::next::method(@_);
2bde9162	18
5aca1bdd	19	$c->_session_plugin_config->{cookie_name}
7022ec4c	20	\|\|= Catalyst::Utils::appprefix($c) . '_session';
5e50008f	21	}
5e50008f	22
0ff18b66	23	sub extend_session_id {
0ff18b66	24	my ( $c, $sid, $expires ) = @_;
1a776a0c	25
2bde9162	26	if ( my $cookie = $c->get_session_cookie ) {
0ff18b66	27	$c->update_session_cookie( $c->make_session_cookie( $sid ) );
58730edc	28	}
db1cda22	29
45c96680	30	$c->maybe::next::method( $sid, $expires );
2bde9162	31	}
	32
	33	sub set_session_id {
	34	my ( $c, $sid ) = @_;
	35
	36	$c->update_session_cookie( $c->make_session_cookie( $sid ) );
	37
45c96680	38	return $c->maybe::next::method($sid);
db1cda22	39	}
	40
	41	sub update_session_cookie {
58730edc	42	my ( $c, $updated ) = @_;
ab649d6b	43
8bdcbb46	44	unless ( $c->cookie_is_rejecting( $updated ) ) {
5aca1bdd	45	my $cookie_name = $c->_session_plugin_config->{cookie_name};
8bdcbb46	46	$c->response->cookies->{$cookie_name} = $updated;
	47	}
	48	}
	49
	50	sub cookie_is_rejecting {
	51	my ( $c, $cookie ) = @_;
ab649d6b	52
8bdcbb46	53	if ( $cookie->{path} ) {
91e4fe2d	54	return 1 if index '/'.$c->request->path, $cookie->{path};
8bdcbb46	55	}
ab649d6b	56
8bdcbb46	57	return 0;
db1cda22	58	}
5e50008f	59
db1cda22	60	sub make_session_cookie {
2bde9162	61	my ( $c, $sid, %attrs ) = @_;
58730edc	62
5aca1bdd	63	my $cfg = $c->_session_plugin_config;
58730edc	64	my $cookie = {
2bde9162	65	value => $sid,
58730edc	66	( $cfg->{cookie_domain} ? ( domain => $cfg->{cookie_domain} ) : () ),
8bdcbb46	67	( $cfg->{cookie_path} ? ( path => $cfg->{cookie_path} ) : () ),
df55e818	68	%attrs,
58730edc	69	};
58730edc	70
2bde9162	71	unless ( exists $cookie->{expires} ) {
	72	$cookie->{expires} = $c->calculate_session_cookie_expires();
	73	}
1e986fd5	74
d2cf2047	75	#beware: we have to accept also the old syntax "cookie_secure = true"
	76	my $sec = $cfg->{cookie_secure} \|\| 0; # default = 0 (not set)
	77	$cookie->{secure} = 1 unless ( ($sec==0) \|\| ($sec==2) );
ab649d6b	78	$cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure );
ab649d6b	79
5aca1bdd	80	$cookie->{httponly} = $cfg->{cookie_httponly};
3c6b7451	81	$cookie->{httponly} = 1
5aca1bdd	82	unless defined $cookie->{httponly}; # default = 1 (set httponly)
fc4b9d6d	83
1e986fd5	84	return $cookie;
	85	}
	86
2bde9162	87	sub calc_expiry { # compat
2bde9162	88	my $c = shift;
45c96680	89	$c->maybe::next::method( @_ ) \|\| $c->calculate_session_cookie_expires( @_ );
2bde9162	90	}
	91
	92	sub calculate_session_cookie_expires {
	93	my $c = shift;
5aca1bdd	94	my $cfg = $c->_session_plugin_config;
2bde9162	95
45c96680	96	my $value = $c->maybe::next::method(@_);
1e986fd5	97	return $value if $value;
2bde9162	98
58730edc	99	if ( exists $cfg->{cookie_expires} ) {
7022ec4c	100	if ( $cfg->{cookie_expires} > 0 ) {
1e986fd5	101	return time() + $cfg->{cookie_expires};
7022ec4c	102	}
7022ec4c	103	else {
1e986fd5	104	return undef;
7022ec4c	105	}
58730edc	106	}
58730edc	107	else {
2bde9162	108	return $c->session_expires;
58730edc	109	}
bf2bce67	110	}
bf2bce67	111
2bde9162	112	sub get_session_cookie {
bf2bce67	113	my $c = shift;
1a776a0c	114
5aca1bdd	115	my $cookie_name = $c->_session_plugin_config->{cookie_name};
5e50008f	116
2bde9162	117	return $c->request->cookies->{$cookie_name};
	118	}
	119
	120	sub get_session_id {
	121	my $c = shift;
	122
ab649d6b	123	if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) {
bf2bce67	124	my $sid = $cookie->value;
bf2bce67	125	$c->log->debug(qq/Found sessionid "$sid" in cookie/) if $c->debug;
2bde9162	126	return $sid if $sid;
bf2bce67	127	}
bf2bce67	128
45c96680	129	$c->maybe::next::method(@_);
2bde9162	130	}
	131
	132	sub delete_session_id {
df55e818	133	my ( $c, $sid ) = @_;
ab649d6b	134
ea139a65	135	$c->_deleted_session_id(1); # to prevent get_session_id from returning it
df55e818	136
	137	$c->update_session_cookie( $c->make_session_cookie( $sid, expires => 0 ) );
	138
45c96680	139	$c->maybe::next::method($sid);
bf2bce67	140	}
bf2bce67	141
1a776a0c	142	__PACKAGE__
57dbf608	143
1a776a0c	144	__END__
bf2bce67	145
1a776a0c	146	=pod
b2f8df5e	147
1a776a0c	148	=head1 NAME
bf2bce67	149
75d3560d	150	Catalyst::Plugin::Session::State::Cookie - Maintain session IDs using cookies.
bf2bce67	151
1a776a0c	152	=head1 SYNOPSIS
bf2bce67	153
20e33791	154	use Catalyst qw/Session Session::State::Cookie Session::Store::Foo/;
bf2bce67	155
1a776a0c	156	=head1 DESCRIPTION
bf2bce67	157
1a776a0c	158	In order for L<Catalyst::Plugin::Session> to work the session ID needs to be
1a776a0c	159	stored on the client, and the session data needs to be stored on the server.
bf2bce67	160
1a776a0c	161	This plugin stores the session ID on the client using the cookie mechanism.
57dbf608	162
724a6173	163	=head1 METHODS
	164
	165	=over 4
	166
	167	=item make_session_cookie
	168
	169	Returns a hash reference with the default values for new cookies.
	170
	171	=item update_session_cookie $hash_ref
	172
	173	Sets the cookie based on C<cookie_name> in the response object.
	174
2cfb85de	175	=item calc_expiry
	176
	177	=item calculate_session_cookie_expires
	178
	179	=item cookie_is_rejecting
	180
	181	=item delete_session_id
	182
	183	=item extend_session_id
	184
	185	=item get_session_cookie
	186
	187	=item get_session_id
	188
	189	=item set_session_id
	190
724a6173	191	=back
724a6173	192
1a776a0c	193	=head1 EXTENDED METHODS
58c05d1a	194
57dbf608	195	=over 4
57dbf608	196
1a776a0c	197	=item prepare_cookies
57dbf608	198
1a776a0c	199	Will restore if an appropriate cookie is found.
58c05d1a	200
d52e5079	201	=item finalize_cookies
58c05d1a	202
1536d9aa	203	Will set a cookie called C<session> if it doesn't exist or if its value is not
19c2baa1	204	the current session id.
	205
	206	=item setup_session
	207
1536d9aa	208	Will set the C<cookie_name> parameter to its default value if it isn't set.
58c05d1a	209
57dbf608	210	=back
58c05d1a	211
5e50008f	212	=head1 CONFIGURATION
	213
	214	=over 4
	215
	216	=item cookie_name
	217
ae33e13f	218	The name of the cookie to store (defaults to C<Catalyst::Utils::apprefix($c) . '_session'>).
5e50008f	219
41b4b15c	220	=item cookie_domain
	221
	222	The name of the domain to store in the cookie (defaults to current host)
	223
7022ec4c	224	=item cookie_expires
7022ec4c	225
ab649d6b	226	Number of seconds from now you want to elapse before cookie will expire.
ab649d6b	227	Set to 0 to create a session cookie, ie one which will die when the
7022ec4c	228	user's browser is shut down.
7022ec4c	229
fc4b9d6d	230	=item cookie_secure
fc4b9d6d	231
d2cf2047	232	If this attribute B<set to 0> the cookie will not have the secure flag.
d2cf2047	233
ab649d6b	234	If this attribute B<set to 1> (or true for backward compatibility) - the cookie
ab649d6b	235	send by the server to the client will got the secure flag that tells the browser
d2cf2047	236	to send this cookies back to the server only via HTTPS.
	237
	238	If this attribute B<set to 2> then the cookie will got the secure flag only if
ab649d6b	239	the request that caused cookie generation was sent over https (this option is
d2cf2047	240	not good if you are mixing https and http in you application).
	241
	242	Default vaule is 0.
	243
	244	=item cookie_httponly
	245
	246	If this attribute B<set to 0>, the cookie will not have HTTPOnly flag.
	247
ab649d6b	248	If this attribute B<set to 1>, the cookie will got HTTPOnly flag that should
d2cf2047	249	prevent client side Javascript accessing the cookie value - this makes some
d2cf2047	250	sort of session hijacking attacks significantly harder. Unfortunately not all
ab649d6b	251	browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if
d2cf2047	252	a browser is not aware of HTTPOnly the flag will be ignored.
	253
	254	Default value is 1.
	255
	256	Note1: Many peole are confused by the name "HTTPOnly" - it B<does not mean>
ab649d6b	257	that this cookie works only over HTTP and not over HTTPS.
d2cf2047	258
d2cf2047	259	Note2: This paramater requires Catalyst::Runtime 5.80005 otherwise is skipped.
fc4b9d6d	260
8bdcbb46	261	=item cookie_path
	262
	263	The path of the request url where cookie should be baked.
	264
5e50008f	265	=back
5e50008f	266
d6bdceb5	267	For example, you could stick this in MyApp.pm:
d6bdceb5	268
5aca1bdd	269	__PACKAGE__->config( 'Plugin::Session' => {
d6bdceb5	270	cookie_domain => '.mydomain.com',
	271	});
	272
724a6173	273	=head1 CAVEATS
db1cda22	274
	275	Sessions have to be created before the first write to be saved. For example:
	276
	277	sub action : Local {
	278	my ( $self, $c ) = @_;
	279	$c->res->write("foo");
	280	$c->session( ... );
	281	...
	282	}
	283
	284	Will cause a session ID to not be set, because by the time a session is
	285	actually created the headers have already been sent to the client.
	286
bf2bce67	287	=head1 SEE ALSO
bf2bce67	288
1a776a0c	289	L<Catalyst>, L<Catalyst::Plugin::Session>.
bf2bce67	290
47f47da5	291	=head1 AUTHORS
bf2bce67	292
8ae6d944	293	Yuval Kogman E<lt>nothingmuch@woobling.orgE<gt>
	294
	295	=head1 CONTRIBUTORS
	296
47f47da5	297	This module is derived from L<Catalyst::Plugin::Session::FastMmap> code, and
	298	has been heavily modified since.
	299
d6bdceb5	300	Andrew Ford
	301	Andy Grundman
	302	Christian Hansen
	303	Marcus Ramberg
	304	Jonathan Rockway E<lt>jrockway@cpan.orgE<gt>
	305	Sebastian Riedel
7c0b044c	306	Florian Ragwitz
bf2bce67	307
	308	=head1 COPYRIGHT
	309
bab1512d	310	Copyright (c) 2005, Yuval Kogman C<< <nothingmuch@woobling.org> >>
	311
	312	=head1 LICENSE
	313
bfeb5ca0	314	This program is free software, you can redistribute it and/or modify it
bfeb5ca0	315	under the same terms as Perl itself.
bf2bce67	316
	317	=cut
	318
	319	1;