Skip to content

Commit

Permalink
Use random UUID for default client side session encryption secret
Browse files Browse the repository at this point in the history
  • Loading branch information
ldaley committed Mar 8, 2021
1 parent 80dc530 commit 603e0c5
Show file tree
Hide file tree
Showing 2 changed files with 31 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,10 @@

package ratpack.session.clientside;

import ratpack.api.Nullable;

import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.time.Duration;

/**
Expand All @@ -24,11 +28,18 @@
public class ClientSideSessionConfig {

private static final String LAST_ACCESS_TIME_TOKEN = "ratpack_lat";
private static final SecureRandom SECURE_RANDOM = new SecureRandom();

private static String randomString(int byteLength) {
byte[] bytes = new byte[byteLength];
SECURE_RANDOM.nextBytes(bytes);
return new String(bytes, StandardCharsets.ISO_8859_1);
}

private String sessionCookieName = "ratpack_session";
private String secretToken = Long.toString(System.currentTimeMillis() / 10000);
private String secretToken = randomString(64);
private String macAlgorithm = "HmacSHA1";
private String secretKey;
private String secretKey = randomString(16);
private String cipherAlgorithm = "AES/CBC/PKCS5Padding";
private int maxSessionCookieSize = 1932;
private Duration maxInactivityInterval = Duration.ofHours(24);
Expand All @@ -40,6 +51,7 @@ public class ClientSideSessionConfig {
* cookies. Every session cookie has a postfix {@code _index}, where {@code index} is the partition number.
* <p>
* <b>Defaults to: </b> {@code ratpack_session}
*
* @return the name of the {@code cookie} used to store session data.
*/
public String getSessionCookieName() {
Expand All @@ -59,6 +71,7 @@ public void setSessionCookieName(String sessionCookieName) {
* The name of the {@code cookie} used to store session's last access time.
* <p>
* Last access time is updated on every session load or store
*
* @return the name of the {@code cookie} with session's last access time
*/
public String getLastAccessTimeCookieName() {
Expand All @@ -68,7 +81,7 @@ public String getLastAccessTimeCookieName() {
/**
* The token used to sign the serialized session to prevent tampering.
* <p>
* If not set, this is set to a time based value.
* If not set, this is set to a random value.
* <p>
* <b>Important: </b> if working with clustered sessions, not being tied to any ratpack app instance,
* {@code secretToken} has to be the same in every ratpack instance configuration.
Expand Down Expand Up @@ -111,15 +124,21 @@ public void setMacAlgorithm(String macAlgorithm) {
*
* @return the secret key used in encryption/decryption of the serialized session data.
*/
@Nullable
public String getSecretKey() {
return secretKey;
}

/**
* Set the secret key used in the symmetric-key encryption/decryption of the serialized session data.
* <p>
* Defaults to a randomly generated 16 byte value.
* <p>
* Can be set to {@code null} only if {@link #setCipherAlgorithm(String)} is null.
*
* @param secretKey a secret key
*/
public void setSecretKey(String secretKey) {
public void setSecretKey(@Nullable String secretKey) {
this.secretKey = secretKey;
}

Expand All @@ -130,26 +149,30 @@ public void setSecretKey(String secretKey) {
*
* @return the algorithm used to encrypt/decrypt the serialized session.
*/
@Nullable
public String getCipherAlgorithm() {
return cipherAlgorithm;
}

/**
* Set the cipher algorithm used to encrypt/decrypt the serialized session data.
* <p>
* Defaults to {@code "AES/CBC/PKCS5Padding"}.
*
* @param cipherAlgorithm a cipher algorithm
*/
public void setCipherAlgorithm(String cipherAlgorithm) {
public void setCipherAlgorithm(@Nullable String cipherAlgorithm) {
this.cipherAlgorithm = cipherAlgorithm;
}

/**
/**
* Maximum size of the session cookie. If encrypted cookie exceeds it, it will be partitioned.
* <p>
* According to the <a href="http://www.ietf.org/rfc/rfc2109.txt">RFC 2109</a> web cookies should be at least
* 4096 bytes per cookie and at least 20 cookies per domain should be supported.
* <p>
* <b>Defaults to: </b> {@code 1932}.
*
* @return the maximum size of the cookie session.
*/
public int getMaxSessionCookieSize() {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ protected void configure() {
@Provides
@Singleton
Signer signer(ClientSideSessionConfig config) {
byte[] token = config.getSecretToken().getBytes(CharsetUtil.UTF_8);
byte[] token = config.getSecretToken().getBytes(CharsetUtil.ISO_8859_1);
return new DefaultSigner(new SecretKeySpec(token, config.getMacAlgorithm()));
}

Expand All @@ -137,7 +137,7 @@ Crypto crypto(ClientSideSessionConfig config) {
if (config.getSecretKey() == null || config.getCipherAlgorithm() == null) {
return NoCrypto.INSTANCE;
} else {
return new DefaultCrypto(config.getSecretKey().getBytes(CharsetUtil.UTF_8), config.getCipherAlgorithm());
return new DefaultCrypto(config.getSecretKey().getBytes(CharsetUtil.ISO_8859_1), config.getCipherAlgorithm());
}
}

Expand Down

0 comments on commit 603e0c5

Please sign in to comment.