[catagits/Catalyst-Plugin-Session-State-Cookie.git] / lib / Catalyst / Plugin / Session / State / Cookie.pm

package Catalyst::Plugin::Session::State::Cookie;
use Moose;
use namespace::autoclean;

extends 'Catalyst::Plugin::Session::State';

use MRO::Compat;
use Catalyst::Utils ();

our $VERSION = "0.14";

has _deleted_session_id => ( is => 'rw' );

sub setup_session {
    my $c = shift;

    $c->maybe::next::method(@_);

    $c->config->{session}{cookie_name}
        ||= Catalyst::Utils::appprefix($c) . '_session';
}

sub extend_session_id {
    my ( $c, $sid, $expires ) = @_;

    if ( my $cookie = $c->get_session_cookie ) {
        $c->update_session_cookie( $c->make_session_cookie( $sid ) );
    }

    $c->maybe::next::method( $sid, $expires );
}

sub set_session_id {
    my ( $c, $sid ) = @_;

    $c->update_session_cookie( $c->make_session_cookie( $sid ) );

    return $c->maybe::next::method($sid);
}

sub update_session_cookie {
    my ( $c, $updated ) = @_;

    unless ( $c->cookie_is_rejecting( $updated ) ) {
        my $cookie_name = $c->config->{session}{cookie_name};
        $c->response->cookies->{$cookie_name} = $updated;
    }
}

sub cookie_is_rejecting {
    my ( $c, $cookie ) = @_;

    if ( $cookie->{path} ) {
        return 1 if index '/'.$c->request->path, $cookie->{path};
    }

    return 0;
}

sub make_session_cookie {
    my ( $c, $sid, %attrs ) = @_;

    my $cfg    = $c->config->{session};
    my $cookie = {
        value => $sid,
        ( $cfg->{cookie_domain} ? ( domain => $cfg->{cookie_domain} ) : () ),
        ( $cfg->{cookie_path} ? ( path => $cfg->{cookie_path} ) : () ),
        %attrs,
    };

    unless ( exists $cookie->{expires} ) {
        $cookie->{expires} = $c->calculate_session_cookie_expires();
    }

    #beware: we have to accept also the old syntax "cookie_secure = true"
    my $sec = $cfg->{cookie_secure} || 0; # default = 0 (not set)
    $cookie->{secure} = 1 unless ( ($sec==0) || ($sec==2) );
    $cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure );

    $cookie->{httponly} = 1
        unless exists $cookie->{httponly}; # default = 1 (set httponly)

    return $cookie;
}

sub calc_expiry { # compat
    my $c = shift;
    $c->maybe::next::method( @_ ) || $c->calculate_session_cookie_expires( @_ );
}

sub calculate_session_cookie_expires {
    my $c   = shift;
    my $cfg = $c->config->{session};

    my $value = $c->maybe::next::method(@_);
    return $value if $value;

    if ( exists $cfg->{cookie_expires} ) {
        if ( $cfg->{cookie_expires} > 0 ) {
            return time() + $cfg->{cookie_expires};
        }
        else {
            return undef;
        }
    }
    else {
        return $c->session_expires;
    }
}

sub get_session_cookie {
    my $c = shift;

    my $cookie_name = $c->config->{session}{cookie_name};

    return $c->request->cookies->{$cookie_name};
}

sub get_session_id {
    my $c = shift;

    if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) {
        my $sid = $cookie->value;
        $c->log->debug(qq/Found sessionid "$sid" in cookie/) if $c->debug;
        return $sid if $sid;
    }

    $c->maybe::next::method(@_);
}

sub delete_session_id {
    my ( $c, $sid ) = @_;

    $c->_deleted_session_id(1); # to prevent get_session_id from returning it

    $c->update_session_cookie( $c->make_session_cookie( $sid, expires => 0 ) );

    $c->maybe::next::method($sid);
}

__PACKAGE__

__END__

=pod

=head1 NAME

Catalyst::Plugin::Session::State::Cookie - Maintain session IDs using cookies.

=head1 SYNOPSIS

    use Catalyst qw/Session Session::State::Cookie Session::Store::Foo/;

=head1 DESCRIPTION

In order for L<Catalyst::Plugin::Session> to work the session ID needs to be
stored on the client, and the session data needs to be stored on the server.

This plugin stores the session ID on the client using the cookie mechanism.

=head1 METHODS

=over 4

=item make_session_cookie

Returns a hash reference with the default values for new cookies.

=item update_session_cookie $hash_ref

Sets the cookie based on C<cookie_name> in the response object.

=item calc_expiry

=item calculate_session_cookie_expires

=item cookie_is_rejecting

=item delete_session_id

=item extend_session_id

=item get_session_cookie

=item get_session_id

=item set_session_id

=back

=head1 EXTENDED METHODS

=over 4

=item prepare_cookies

Will restore if an appropriate cookie is found.

=item finalize_cookies

Will set a cookie called C<session> if it doesn't exist or if its value is not
the current session id.

=item setup_session

Will set the C<cookie_name> parameter to its default value if it isn't set.

=back

=head1 CONFIGURATION

=over 4

=item cookie_name

The name of the cookie to store (defaults to C<Catalyst::Utils::apprefix($c) . '_session'>).

=item cookie_domain

The name of the domain to store in the cookie (defaults to current host)

=item cookie_expires

Number of seconds from now you want to elapse before cookie will expire.
Set to 0 to create a session cookie, ie one which will die when the
user's browser is shut down.

=item cookie_secure

If this attribute B<set to 0> the cookie will not have the secure flag.

If this attribute B<set to 1> (or true for backward compatibility) - the cookie
send by the server to the client will got the secure flag that tells the browser
to send this cookies back to the server only via HTTPS.

If this attribute B<set to 2> then the cookie will got the secure flag only if
the request that caused cookie generation was sent over https (this option is
not good if you are mixing https and http in you application).

Default vaule is 0.

=item cookie_httponly

If this attribute B<set to 0>, the cookie will not have HTTPOnly flag.

If this attribute B<set to 1>, the cookie will got HTTPOnly flag that should
prevent client side Javascript accessing the cookie value - this makes some
sort of session hijacking attacks significantly harder. Unfortunately not all
browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if
a browser is not aware of HTTPOnly the flag will be ignored.

Default value is 1.

Note1: Many peole are confused by the name "HTTPOnly" - it B<does not mean>
that this cookie works only over HTTP and not over HTTPS.

Note2: This paramater requires Catalyst::Runtime 5.80005 otherwise is skipped.

=item cookie_path

The path of the request url where cookie should be baked.

=back

For example, you could stick this in MyApp.pm:

  __PACKAGE__->config( session => {
     cookie_domain  => '.mydomain.com',
  });

=head1 CAVEATS

Sessions have to be created before the first write to be saved. For example:

	sub action : Local {
		my ( $self, $c ) = @_;
		$c->res->write("foo");
		$c->session( ... );
		...
	}

Will cause a session ID to not be set, because by the time a session is
actually created the headers have already been sent to the client.

=head1 SEE ALSO

L<Catalyst>, L<Catalyst::Plugin::Session>.

=head1 AUTHORS

Yuval Kogman E<lt>nothingmuch@woobling.orgE<gt>

=head1 CONTRIBUTORS

This module is derived from L<Catalyst::Plugin::Session::FastMmap> code, and
has been heavily modified since.

  Andrew Ford
  Andy Grundman
  Christian Hansen
  Marcus Ramberg
  Jonathan Rockway E<lt>jrockway@cpan.orgE<gt>
  Sebastian Riedel

=head1 COPYRIGHT

Copyright (c) 2005, Yuval Kogman C<< <nothingmuch@woobling.org> >>

=head1 LICENSE

This program is free software, you can redistribute it and/or modify it
under the same terms as Perl itself.

=cut

1;
Commit	Line	Data
1a776a0c	1	package Catalyst::Plugin::Session::State::Cookie;
679f4a58	2	use Moose;
679f4a58	3	use namespace::autoclean;
bf2bce67	4
679f4a58	5	extends 'Catalyst::Plugin::Session::State';
bf2bce67	6
45c96680	7	use MRO::Compat;
74586782	8	use Catalyst::Utils ();
bf2bce67	9
6652d9a2	10	our $VERSION = "0.14";
ea139a65	11
679f4a58	12	has _deleted_session_id => ( is => 'rw' );
81eb8ebf	13
5e50008f	14	sub setup_session {
20e33791	15	my $c = shift;
5e50008f	16
45c96680	17	$c->maybe::next::method(@_);
2bde9162	18
7022ec4c	19	$c->config->{session}{cookie_name}
7022ec4c	20	\|\|= Catalyst::Utils::appprefix($c) . '_session';
5e50008f	21	}
5e50008f	22
0ff18b66	23	sub extend_session_id {
0ff18b66	24	my ( $c, $sid, $expires ) = @_;
1a776a0c	25
2bde9162	26	if ( my $cookie = $c->get_session_cookie ) {
0ff18b66	27	$c->update_session_cookie( $c->make_session_cookie( $sid ) );
58730edc	28	}
db1cda22	29
45c96680	30	$c->maybe::next::method( $sid, $expires );
2bde9162	31	}
	32
	33	sub set_session_id {
	34	my ( $c, $sid ) = @_;
	35
	36	$c->update_session_cookie( $c->make_session_cookie( $sid ) );
	37
45c96680	38	return $c->maybe::next::method($sid);
db1cda22	39	}
	40
	41	sub update_session_cookie {
58730edc	42	my ( $c, $updated ) = @_;
ab649d6b	43
8bdcbb46	44	unless ( $c->cookie_is_rejecting( $updated ) ) {
	45	my $cookie_name = $c->config->{session}{cookie_name};
	46	$c->response->cookies->{$cookie_name} = $updated;
	47	}
	48	}
	49
	50	sub cookie_is_rejecting {
	51	my ( $c, $cookie ) = @_;
ab649d6b	52
8bdcbb46	53	if ( $cookie->{path} ) {
91e4fe2d	54	return 1 if index '/'.$c->request->path, $cookie->{path};
8bdcbb46	55	}
ab649d6b	56
8bdcbb46	57	return 0;
db1cda22	58	}
5e50008f	59
db1cda22	60	sub make_session_cookie {
2bde9162	61	my ( $c, $sid, %attrs ) = @_;
58730edc	62
	63	my $cfg = $c->config->{session};
	64	my $cookie = {
2bde9162	65	value => $sid,
58730edc	66	( $cfg->{cookie_domain} ? ( domain => $cfg->{cookie_domain} ) : () ),
8bdcbb46	67	( $cfg->{cookie_path} ? ( path => $cfg->{cookie_path} ) : () ),
df55e818	68	%attrs,
58730edc	69	};
58730edc	70
2bde9162	71	unless ( exists $cookie->{expires} ) {
	72	$cookie->{expires} = $c->calculate_session_cookie_expires();
	73	}
1e986fd5	74
d2cf2047	75	#beware: we have to accept also the old syntax "cookie_secure = true"
	76	my $sec = $cfg->{cookie_secure} \|\| 0; # default = 0 (not set)
	77	$cookie->{secure} = 1 unless ( ($sec==0) \|\| ($sec==2) );
ab649d6b	78	$cookie->{secure} = 1 if ( ($sec==2) && $c->req->secure );
ab649d6b	79
3c6b7451	80	$cookie->{httponly} = 1
3c6b7451	81	unless exists $cookie->{httponly}; # default = 1 (set httponly)
fc4b9d6d	82
1e986fd5	83	return $cookie;
	84	}
	85
2bde9162	86	sub calc_expiry { # compat
2bde9162	87	my $c = shift;
45c96680	88	$c->maybe::next::method( @_ ) \|\| $c->calculate_session_cookie_expires( @_ );
2bde9162	89	}
	90
	91	sub calculate_session_cookie_expires {
	92	my $c = shift;
	93	my $cfg = $c->config->{session};
	94
45c96680	95	my $value = $c->maybe::next::method(@_);
1e986fd5	96	return $value if $value;
2bde9162	97
58730edc	98	if ( exists $cfg->{cookie_expires} ) {
7022ec4c	99	if ( $cfg->{cookie_expires} > 0 ) {
1e986fd5	100	return time() + $cfg->{cookie_expires};
7022ec4c	101	}
7022ec4c	102	else {
1e986fd5	103	return undef;
7022ec4c	104	}
58730edc	105	}
58730edc	106	else {
2bde9162	107	return $c->session_expires;
58730edc	108	}
bf2bce67	109	}
bf2bce67	110
2bde9162	111	sub get_session_cookie {
bf2bce67	112	my $c = shift;
1a776a0c	113
20e33791	114	my $cookie_name = $c->config->{session}{cookie_name};
5e50008f	115
2bde9162	116	return $c->request->cookies->{$cookie_name};
	117	}
	118
	119	sub get_session_id {
	120	my $c = shift;
	121
ab649d6b	122	if ( !$c->_deleted_session_id and my $cookie = $c->get_session_cookie ) {
bf2bce67	123	my $sid = $cookie->value;
bf2bce67	124	$c->log->debug(qq/Found sessionid "$sid" in cookie/) if $c->debug;
2bde9162	125	return $sid if $sid;
bf2bce67	126	}
bf2bce67	127
45c96680	128	$c->maybe::next::method(@_);
2bde9162	129	}
	130
	131	sub delete_session_id {
df55e818	132	my ( $c, $sid ) = @_;
ab649d6b	133
ea139a65	134	$c->_deleted_session_id(1); # to prevent get_session_id from returning it
df55e818	135
	136	$c->update_session_cookie( $c->make_session_cookie( $sid, expires => 0 ) );
	137
45c96680	138	$c->maybe::next::method($sid);
bf2bce67	139	}
bf2bce67	140
1a776a0c	141	__PACKAGE__
57dbf608	142
1a776a0c	143	__END__
bf2bce67	144
1a776a0c	145	=pod
b2f8df5e	146
1a776a0c	147	=head1 NAME
bf2bce67	148
75d3560d	149	Catalyst::Plugin::Session::State::Cookie - Maintain session IDs using cookies.
bf2bce67	150
1a776a0c	151	=head1 SYNOPSIS
bf2bce67	152
20e33791	153	use Catalyst qw/Session Session::State::Cookie Session::Store::Foo/;
bf2bce67	154
1a776a0c	155	=head1 DESCRIPTION
bf2bce67	156
1a776a0c	157	In order for L<Catalyst::Plugin::Session> to work the session ID needs to be
1a776a0c	158	stored on the client, and the session data needs to be stored on the server.
bf2bce67	159
1a776a0c	160	This plugin stores the session ID on the client using the cookie mechanism.
57dbf608	161
724a6173	162	=head1 METHODS
	163
	164	=over 4
	165
	166	=item make_session_cookie
	167
	168	Returns a hash reference with the default values for new cookies.
	169
	170	=item update_session_cookie $hash_ref
	171
	172	Sets the cookie based on C<cookie_name> in the response object.
	173
2cfb85de	174	=item calc_expiry
	175
	176	=item calculate_session_cookie_expires
	177
	178	=item cookie_is_rejecting
	179
	180	=item delete_session_id
	181
	182	=item extend_session_id
	183
	184	=item get_session_cookie
	185
	186	=item get_session_id
	187
	188	=item set_session_id
	189
724a6173	190	=back
724a6173	191
1a776a0c	192	=head1 EXTENDED METHODS
58c05d1a	193
57dbf608	194	=over 4
57dbf608	195
1a776a0c	196	=item prepare_cookies
57dbf608	197
1a776a0c	198	Will restore if an appropriate cookie is found.
58c05d1a	199
d52e5079	200	=item finalize_cookies
58c05d1a	201
1536d9aa	202	Will set a cookie called C<session> if it doesn't exist or if its value is not
19c2baa1	203	the current session id.
	204
	205	=item setup_session
	206
1536d9aa	207	Will set the C<cookie_name> parameter to its default value if it isn't set.
58c05d1a	208
57dbf608	209	=back
58c05d1a	210
5e50008f	211	=head1 CONFIGURATION
	212
	213	=over 4
	214
	215	=item cookie_name
	216
ae33e13f	217	The name of the cookie to store (defaults to C<Catalyst::Utils::apprefix($c) . '_session'>).
5e50008f	218
41b4b15c	219	=item cookie_domain
	220
	221	The name of the domain to store in the cookie (defaults to current host)
	222
7022ec4c	223	=item cookie_expires
7022ec4c	224
ab649d6b	225	Number of seconds from now you want to elapse before cookie will expire.
ab649d6b	226	Set to 0 to create a session cookie, ie one which will die when the
7022ec4c	227	user's browser is shut down.
7022ec4c	228
fc4b9d6d	229	=item cookie_secure
fc4b9d6d	230
d2cf2047	231	If this attribute B<set to 0> the cookie will not have the secure flag.
d2cf2047	232
ab649d6b	233	If this attribute B<set to 1> (or true for backward compatibility) - the cookie
ab649d6b	234	send by the server to the client will got the secure flag that tells the browser
d2cf2047	235	to send this cookies back to the server only via HTTPS.
	236
	237	If this attribute B<set to 2> then the cookie will got the secure flag only if
ab649d6b	238	the request that caused cookie generation was sent over https (this option is
d2cf2047	239	not good if you are mixing https and http in you application).
	240
	241	Default vaule is 0.
	242
	243	=item cookie_httponly
	244
	245	If this attribute B<set to 0>, the cookie will not have HTTPOnly flag.
	246
ab649d6b	247	If this attribute B<set to 1>, the cookie will got HTTPOnly flag that should
d2cf2047	248	prevent client side Javascript accessing the cookie value - this makes some
d2cf2047	249	sort of session hijacking attacks significantly harder. Unfortunately not all
ab649d6b	250	browsers support this flag (MSIE 6 SP1+, Firefox 3.0.0.6+, Opera 9.5+); if
d2cf2047	251	a browser is not aware of HTTPOnly the flag will be ignored.
	252
	253	Default value is 1.
	254
	255	Note1: Many peole are confused by the name "HTTPOnly" - it B<does not mean>
ab649d6b	256	that this cookie works only over HTTP and not over HTTPS.
d2cf2047	257
d2cf2047	258	Note2: This paramater requires Catalyst::Runtime 5.80005 otherwise is skipped.
fc4b9d6d	259
8bdcbb46	260	=item cookie_path
	261
	262	The path of the request url where cookie should be baked.
	263
5e50008f	264	=back
5e50008f	265
d6bdceb5	266	For example, you could stick this in MyApp.pm:
	267
	268	__PACKAGE__->config( session => {
	269	cookie_domain => '.mydomain.com',
	270	});
	271
724a6173	272	=head1 CAVEATS
db1cda22	273
	274	Sessions have to be created before the first write to be saved. For example:
	275
	276	sub action : Local {
	277	my ( $self, $c ) = @_;
	278	$c->res->write("foo");
	279	$c->session( ... );
	280	...
	281	}
	282
	283	Will cause a session ID to not be set, because by the time a session is
	284	actually created the headers have already been sent to the client.
	285
bf2bce67	286	=head1 SEE ALSO
bf2bce67	287
1a776a0c	288	L<Catalyst>, L<Catalyst::Plugin::Session>.
bf2bce67	289
47f47da5	290	=head1 AUTHORS
bf2bce67	291
8ae6d944	292	Yuval Kogman E<lt>nothingmuch@woobling.orgE<gt>
	293
	294	=head1 CONTRIBUTORS
	295
47f47da5	296	This module is derived from L<Catalyst::Plugin::Session::FastMmap> code, and
	297	has been heavily modified since.
	298
d6bdceb5	299	Andrew Ford
	300	Andy Grundman
	301	Christian Hansen
	302	Marcus Ramberg
	303	Jonathan Rockway E<lt>jrockway@cpan.orgE<gt>
	304	Sebastian Riedel
bf2bce67	305
	306	=head1 COPYRIGHT
	307
bab1512d	308	Copyright (c) 2005, Yuval Kogman C<< <nothingmuch@woobling.org> >>
	309
	310	=head1 LICENSE
	311
bfeb5ca0	312	This program is free software, you can redistribute it and/or modify it
bfeb5ca0	313	under the same terms as Perl itself.
bf2bce67	314
	315	=cut
	316
	317	1;