Skip to content
This repository
Browse code

Merge pull request #21 from sunfmin/master

Base64 URLEncoding could generate "-", So it's not safe to use "--" as sign separator. I encounter this tricky bug quite frequently
  • Loading branch information...
commit 32aca7ac347c23fbb97e1987ebf974465888ee72 2 parents f7e26f6 + c5e0930
Paul Bellamy authored

Showing 2 changed files with 22 additions and 10 deletions. Show diff stats Hide diff stats

  1. +20 8 sessions.go
  2. +2 2 sessions_test.go
28 sessions.go
@@ -2,13 +2,13 @@ package mango
2 2
3 3 import (
4 4 "bytes"
5   - "hash"
6 5 "crypto/hmac"
7 6 "crypto/sha1"
8 7 "encoding/base64"
  8 + "encoding/gob"
9 9 "fmt"
  10 + "hash"
10 11 "io/ioutil"
11   - "encoding/gob"
12 12 "net/http"
13 13 "strings"
14 14 )
@@ -50,7 +50,7 @@ func decode64(value string) (result string) {
50 50 func decodeCookie(value, secret string) (cookie map[string]interface{}) {
51 51 cookie = make(map[string]interface{})
52 52
53   - split := strings.Split(string(value), "--")
  53 + split := strings.Split(string(value), "/")
54 54
55 55 if len(split) < 2 {
56 56 return cookie
@@ -91,7 +91,7 @@ func encode64(value string) (result string) {
91 91 func encodeCookie(value map[string]interface{}, secret string) (cookie string) {
92 92 data := encodeGob(value)
93 93
94   - return fmt.Sprintf("%s--%s", encode64(data), encode64(hashCookie(data, secret)))
  94 + return fmt.Sprintf("%s/%s", encode64(data), encode64(hashCookie(data, secret)))
95 95 }
96 96
97 97 func prepareSession(env Env, key, secret string) {
@@ -106,19 +106,31 @@ func prepareSession(env Env, key, secret string) {
106 106 env["mango.session"] = make(map[string]interface{})
107 107 }
108 108
109   -func commitSession(headers Headers, env Env, key, secret, domain string) {
  109 +func commitSession(headers Headers, env Env, key, secret string, options *CookieOptions) {
110 110 cookie := new(http.Cookie)
111 111 cookie.Name = key
112 112 cookie.Value = encodeCookie(env["mango.session"].(map[string]interface{}), secret)
113   - cookie.Domain = domain
  113 + cookie.Path = options.Path
  114 + cookie.Domain = options.Domain
  115 + cookie.MaxAge = options.MaxAge
  116 + cookie.Secure = options.Secure
  117 + cookie.HttpOnly = options.HttpOnly
114 118 headers.Add("Set-Cookie", cookie.String())
115 119 }
116 120
117   -func Sessions(secret, key, domain string) Middleware {
  121 +type CookieOptions struct {
  122 + Domain string
  123 + Path string
  124 + MaxAge int
  125 + Secure bool
  126 + HttpOnly bool
  127 +}
  128 +
  129 +func Sessions(secret, key string, options *CookieOptions) Middleware {
118 130 return func(env Env, app App) (status Status, headers Headers, body Body) {
119 131 prepareSession(env, key, secret)
120 132 status, headers, body = app(env)
121   - commitSession(headers, env, key, secret, domain)
  133 + commitSession(headers, env, key, secret, options)
122 134 return status, headers, body
123 135 }
124 136 }
4 sessions_test.go
@@ -32,7 +32,7 @@ func TestSessions(t *testing.T) {
32 32
33 33 // Compile the stack
34 34 sessionsStack := new(Stack)
35   - sessionsStack.Middleware(Sessions("my_secret", "my_key", ".my.domain.com"))
  35 + sessionsStack.Middleware(Sessions("my_secret", "my_key", &CookieOptions{Domain: ".my.domain.com"}))
36 36 sessionsApp := sessionsStack.Compile(sessionsTestServer)
37 37
38 38 // Request against it
@@ -83,7 +83,7 @@ func BenchmarkSessions(b *testing.B) {
83 83 }
84 84
85 85 sessionsStack := new(Stack)
86   - sessionsStack.Middleware(Sessions("my_secret", "my_key", ".my.domain.com"))
  86 + sessionsStack.Middleware(Sessions("my_secret", "my_key", &CookieOptions{Domain: ".my.domain.com"}))
87 87 sessionsApp := sessionsStack.Compile(sessionsTestServer)
88 88
89 89 request, _ := http.NewRequest("GET", "http://localhost:3000/", nil)

0 comments on commit 32aca7a

Please sign in to comment.
Something went wrong with that request. Please try again.