Skip to content
Browse files

Fixed the final notes

  • Loading branch information...
1 parent df5a881 commit 68c48b1ac796ebee8aa45c7f270e40386220d3f7 @lhft lhft committed Jan 27, 2013
Showing with 34 additions and 190 deletions.
  1. +34 −190 src/mochiweb_session.erl
View
224 src/mochiweb_session.erl
@@ -1,66 +1,54 @@
%% @author Asier Azkuenaga Batiz <asier@zebixe.com>
-%% @doc HTTP Cookie session. Note that the user name and expiration time travel unencrypted as far as this module concerns.
+%% @doc HTTP Cookie session. Note that the expiration time travels unencrypted as far as this module concerns.
%% In order to achieve more security, it is adviced to use https
-module(mochiweb_session).
-export([generate_session_data/4,generate_session_cookie/4,check_session_cookie/4]).
-%% @spec generate_session_data(ExpirationTime,Data :: string(),FSessionKey : function(A),ServerKey) -> string()
-%% @doc generates a secure encrypted string convining all the parameters.
-%% The expiration time is considered in seconds
+%% @spec generate_session_data(ExpirationTime,Data :: string(),FSessionKey : function(A),ServerKey) -> binary()
+%% @doc generates a secure encrypted binary convining all the parameters.
+%% The expiration time is a number that must be able to be represented on 32 bit.
generate_session_data(ExpirationTime,Data,FSessionKey,ServerKey) when is_integer(ExpirationTime),is_list(Data), is_function(FSessionKey)->
BData=ensure_binary(Data),
- ExpTime=integer_to_list(ExpirationTime),
- BExpTime=ensure_binary(ExpTime),
+ ExpTime= integer_to_list(ExpirationTime),
Key=gen_key(ExpTime,ServerKey),
- Hmac=gen_hmac(ExpTime,BData,FSessionKey(integer_to_list(ExpirationTime)),Key),
+ Hmac=gen_hmac(ExpTime,BData,FSessionKey(ExpTime),Key),
EData=encrypt_data(BData,Key),
- io:format("data:~p length:~p~n",[<<ExpirationTime:32>>,length(integer_to_list(binary:decode_unsigned(<<ExpirationTime:32>>)))]),
- base64:encode(<< BExpTime:32,Hmac/binary, EData/binary>>).
+ base64:encode(<< ExpirationTime:32/integer,Hmac/binary, EData/binary>>).
%% @spec generate_session_data(UserName,ExpirationTime,SessionExtraData,FSessionKey : function(A),ServerKey) -> mochiweb_cookie()
-%% @doc generates a secure encrypted cookie using the generate_session_data function.
-generate_session_cookie(ExpirationTime,Data,FSessionKey,ServerKey) when is_integer(ExpirationTime)->
+%% @doc generates a secure encrypted binary convining all the parameters.
+%% The expiration time is a number that must be able to be represented on 32 bit.
+%% This function conveniently generates a mochiweb cookie using the "id" as key and current local time as local time
+generate_session_cookie(ExpirationTime,Data,FSessionKey,ServerKey) when is_integer(ExpirationTime),is_list(Data), is_function(FSessionKey)->
CookieData=generate_session_data(ExpirationTime,Data,FSessionKey,ServerKey),
mochiweb_cookies:cookie("id",CookieData,[{max_age,20000},{local_time,calendar:universal_time_to_local_time(calendar:universal_time())}]).
-%% @spec cookie_check_session(RawData,ExpirationTime,FSessionKey : function(A), ServerKey)->{false,[UserName,Expiration,Data]} |
-%% {false,[]} |
-%% {true,[UserName,Expiration,Data]}
+%% @spec cookie_check_session(RawData,ExpirationTime,FSessionKey, ServerKey)->{false,[ExpirationTime,Data]} |
+%% {false,[]} |
+%% {true,[ExpirationTime,Data]},
+%% RawData = binary() ,
+%% ExpirationTime = integer(),
+%% FSessionKey = function(A) ,
+%% ServerKey = string()
check_session_cookie(undefined,_,_,_) ->
{false,[]};
check_session_cookie([],_,_,_) ->
{false,[]};
-check_session_cookie(ECookie,ExpirationTime,FSessionKey,ServerKey) ->
- Cookie=base64:decode(ECookie),
- <<ExpirationTime1:32/binary,BHmac:16/binary,EData/binary>> = Cookie,
- ExpTime=binary:decode_unsigned(<<ExpirationTime1>>),
- Key=gen_key(ExpirationTime1,ServerKey),
+check_session_cookie(ECookie,ExpirationTime,FSessionKey,ServerKey) when is_binary(ECookie), is_integer(ExpirationTime), is_function(FSessionKey)->
+ <<ExpirationTime1:32/integer,BHmac:20/binary,EData/binary>> = base64:decode(ECookie),
+ Key=gen_key(integer_to_list(ExpirationTime1),ServerKey),
Data=decrypt_data(EData,Key),
- Hmac2=gen_hmac(ExpirationTime1,Data,FSessionKey(ExpirationTime1),Key),
- if ExpTime<ExpirationTime -> {false,[ExpirationTime1,binary_to_list(Data)]};
+ Hmac2=gen_hmac(integer_to_list(ExpirationTime1),Data,FSessionKey(integer_to_list(ExpirationTime1)),Key),
+ if ExpirationTime1<ExpirationTime -> {false,[ExpirationTime1,binary_to_list(Data)]};
true ->
if Hmac2==BHmac -> {true,[ExpirationTime1,binary_to_list(Data)]};
true -> {false,[ExpirationTime1,binary_to_list(Data)]}
end
end.
-%% check_session_cookie(ExpirationTime1, EData, BHmac,ExpirationTime,FSessionKey,ServerKey)
-%% when is_integer(ExpirationTime) , is_list(ServerKey), is_list(ExpirationTime1)->
-%% ExpTime=list_to_integer(ExpirationTime1),
-%% Key=gen_key(ExpirationTime1,ServerKey),
-%% Data=decrypt_data(EData,Key),
-%% Hmac2=gen_hmac(ExpirationTime1,Data,FSessionKey(ExpirationTime1),Key),
-%% if ExpTime<ExpirationTime -> {false,[ExpirationTime1,binary_to_list(Data)]};
-%% true ->
-%% if Hmac2==BHmac -> {true,[ExpirationTime1,binary_to_list(Data)]};
-%% true -> {false,[ExpirationTime1,binary_to_list(Data)]}
-%% end
-%% end;
-%% check_session_cookie(_,_,_,_,_,_) ->
-%% {false,[]}.
ensure_binary(B) when is_binary(B) ->
B;
@@ -92,179 +80,35 @@ server_key()->%setup function
["adfasdfasfs",30000].
generate_check_session_cookie([ServerKey,TimeStamp]) ->
- [?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice"]},
+ [?_assertEqual({true,[TimeStamp+1000,"alice"]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
- ?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
+ ?_assertEqual({true,[TimeStamp+1000,"alice and"]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
-
-
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
+
+
+ ?_assertEqual({true,[TimeStamp+1000,"alice and"]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and"]},
- check_session_cookie(generate_session_data(TimeStamp+1000,"alice and",fun(A)-> A end,ServerKey),
- TimeStamp,fun(A)-> A end,ServerKey)),
-
-
-
-
+
- ?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice and bob"]},
+ ?_assertEqual({true,[TimeStamp+1000,"alice and bob"]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice and bob",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
- ?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice jlkjfkjsdfg sdkfjgldsjgl"]},
+ ?_assertEqual({true,[TimeStamp+1000,"alice jlkjfkjsdfg sdkfjgldsjgl"]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice jlkjfkjsdfg sdkfjgldsjgl",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
- ?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice .'¡'ç+-$%/(&\""]},
+ ?_assertEqual({true,[TimeStamp+1000,"alice .'¡'ç+-$%/(&\""]},
check_session_cookie(generate_session_data(TimeStamp+1000,"alice .'¡'ç+-$%/(&\"",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
- ?_assertEqual({true,[integer_to_list(TimeStamp+1000),"alice456689875"]},
+ ?_assertEqual({true,[TimeStamp+1000,"alice456689875"]},
check_session_cookie(generate_session_data(TimeStamp+1000,["alice","456689875"],fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
?_assertError(function_clause,
check_session_cookie(generate_session_data(TimeStamp+1000,{tuple,one},fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey)),
- ?_assertEqual({false,[integer_to_list(TimeStamp-1),"bob"]},
+ ?_assertEqual({false,[TimeStamp-1,"bob"]},
check_session_cookie(generate_session_data(TimeStamp-1,"bob",fun(A)-> A end,ServerKey),
TimeStamp,fun(A)-> A end,ServerKey))%current timestamp newer than cookie, it's expired
].

0 comments on commit 68c48b1

Please sign in to comment.
Something went wrong with that request. Please try again.