Use secure session cookies (in login, too)

lazyatom · Oct 1, 2008 · 8853ac9 · 8853ac9
1 parent ae16b46
commit 8853ac9
Show file tree

Hide file tree

Showing 5 changed files with 43 additions and 11 deletions.
diff --git a/Rakefile b/Rakefile
@@ -73,7 +73,8 @@ task :upgrade => ["upgrade:dynasnips"]
 desc 'Add a user (or change an existing password)'
 task :add_user => :prepare do
   puts "Adding a new user"
-  credentials = YAML.load(File.open("vanilla-authorization.yml")) rescue {}
+  credential_file = File.join(Vanilla::App.root,'config','vanilla-authorization.yml')
+  credentials = YAML.load(File.open(credential_file)) rescue {}
   print "Username: "
   username = STDIN.gets.chomp.strip
   print "Password: "
@@ -84,11 +85,31 @@ task :add_user => :prepare do
     raise "Passwords don't match!"
   else
     credentials[username] = MD5.md5(password).to_s
-    File.open("vanilla-authorization.yml", "w") { |f| f.write credentials.to_yaml }
+    File.open(credential_file, "w") { |f| f.write credentials.to_yaml }
     puts "User '#{username}' added."
   end
 end
 
+desc 'Generate file containing secret for cookie-based session storage'
+task :generate_secret_file do
+  # Adapted from old rails secret generator.
+  require 'openssl'
+  if !File.exist?("/dev/urandom")
+    # OpenSSL transparently seeds the random number generator with
+    # data from /dev/urandom. On platforms where that is not
+    # available, such as Windows, we have to provide OpenSSL with
+    # our own seed. Unfortunately there's no way to provide a
+    # secure seed without OS support, so we'll have to do with
+    # rand() and Time.now.usec().
+    OpenSSL::Random.seed(rand(0).to_s + Time.now.usec.to_s)
+  end
+  data = OpenSSL::BN.rand(2048, -1, false).to_s
+  secret = OpenSSL::Digest::SHA512.new(data).hexdigest
+  File.open(File.join(Vanilla::App.root,'config','secret.yml'),'w') {|f| f.write({"secret" => secret}.to_yaml)}
+  puts "Secret file generated."
+end
+
+
 desc 'Prepare a new vanilla.rb installation'
 task :setup do
   puts <<-EOM
@@ -101,6 +122,13 @@ Lets get started. Firstly, I'm going to cook you some soup:
 
 EOM
   Rake::Task[:bootstrap].invoke
+
+  puts <<-EOM
+  
+Generating the file that will contain the secret for cookie-based session storage.
+EOM
+  Rake::Task[:generate_secret_file].invoke
+
   puts <<-EOM
 
 
@@ -133,4 +161,4 @@ Spec::Rake::SpecTask.new do |t|
   t.libs = ["spec"]
 end
 
-task :default => :spec
+task :default => :spec
diff --git a/lib/vanilla.ru b/lib/vanilla.ru
@@ -3,6 +3,7 @@ require 'vanilla/rack_app'
 
 use Rack::Session::Cookie, :key => 'vanilla.session',
                            :path => '/',
-                           :expire_after => 2592000
+                           :expire_after => 2592000,
+			   :secret => YAML.load(File.read(File.join(Vanilla::App.root,'config','secret.yml')))['secret']
 use Rack::Static, :urls => ["/public"], :root => File.join(File.dirname(__FILE__), *%w[vanilla])
 run Vanilla::RackApp.new
diff --git a/lib/vanilla/config/secret.yml.example b/lib/vanilla/config/secret.yml.example
@@ -0,0 +1,2 @@
+--- 
+secret: "run rake generate_secret_file to generate a (mostly) secure secret"
diff --git a/lib/vanilla/config/vanilla-authorization.yml.example b/lib/vanilla/config/vanilla-authorization.yml.example
@@ -0,0 +1,2 @@
+--- 
+test: 098f6bcd4621d373cade4e832627b4f6
diff --git a/lib/vanilla/dynasnips/login.rb b/lib/vanilla/dynasnips/login.rb
@@ -9,7 +9,7 @@ def logged_in?
     end
 
     def current_user
-      app.request.cookies['logged_in_as']
+      app.request.session['logged_in_as']
     end
 
     def login_required
@@ -27,18 +27,17 @@ def get(*args)
   end
 
   def post(*args)
-    credentials = YAML.load(File.open("vanilla-authorization.yml"))
+    credentials = YAML.load(File.open(File.join(Vanilla::App.root,'config','vanilla-authorization.yml')))
     if credentials[cleaned_params[:name]] == MD5.md5(cleaned_params[:password]).to_s
-      app.response.set_cookie('logged_in_as', cleaned_params[:name])
-      app.request.cookies['logged_in_as'] = cleaned_params[:name]
+      app.request.session['logged_in_as'] = cleaned_params[:name]
       login_controls
     else
       "login fail!"
     end
   end
 
   def delete(*args)
-    app.response.delete_cookie('logged_in_as')
+    app.request.session['logged_in_as'] = nil
     "Logged out"
   end
 
@@ -53,6 +52,6 @@ def delete(*args)
   private
 
   def login_controls
-    "logged in as {link_to #{app.request.cookies['logged_in_as']}}; <a href='/login?_method=delete'>logout</a>"
+    "logged in as {link_to #{app.request.session['logged_in_as']}}; <a href='/login?_method=delete'>logout</a>"
   end
-end
+end