Class: Rack::Session::EncryptedCookie

Inherits:
Object
  • Object
show all
Defined in:
lib/encrypted_cookie.rb,
lib/encrypted_cookie/encryptor.rb

Overview

Rack::Session::EncryptedCookie provides AES-256-encrypted, tamper-proof cookie-based session management.

The session is Marshal’d, encrypted and HMAC’d.

Example:

use Rack::Session::EncryptedCookie,
  :secret => 'change_me',
  :key => 'rack.session',
  :domain => 'foo.com',
  :path => '/',
  :expire_after => 2592000
  :time_to_live => 600

All parameters are optional except :secret.

The default for the session time-to-live is 30 minutes. You can set
the timeout on per session base by adding the expiration time in the
session:
   session[Rack::Session::EncryptedCookie::EXPIRES] = Time.now + 120

Note that you shouldn't trust the expire_after parameter in the cookie
for session expiry as that can be altered by the recipient. Instead,
use time_to_live which is server side check.

Defined Under Namespace

Classes: Encryptor

Constant Summary collapse

EXPIRES = 
'_encrypted_cookie_expires_'

Instance Method Summary collapse

Constructor Details

#initialize(app, options = {}) ⇒ EncryptedCookie

Returns a new instance of EncryptedCookie.



34
35
36
37
38
39
40
41
42
43
44
 
# File 'lib/encrypted_cookie.rb', line 34

def initialize(app, options={})
  @app = app
  @key = options[:key] || "rack.session"
  @secret = options[:secret]
  fail "Error! A secret is required to use encrypted cookies. Do something like this:\n\nuse Rack::Session::EncryptedCookie, :secret => YOUR_VERY_LONG_VERY_RANDOM_SECRET_KEY_HERE" unless @secret
  @default_options = {:domain => nil,
    :path => "/",
    :time_to_live => 1800,
    :expire_after => nil}.merge(options)
  @encryptor = Encryptor.new(@secret)
end

Instance Method Details

#call(env) ⇒ Object 



46
47
48
49
50
 
# File 'lib/encrypted_cookie.rb', line 46

def call(env)
  load_session(env)
  status, headers, body = @app.call(env)
  commit_session(env, status, headers, body)
end