/usr/share/perl5/Dancer/Session/Cookie.pm is in libdancer-session-cookie-perl 0.15-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 | package Dancer::Session::Cookie;
use strict;
use warnings;
use base 'Dancer::Session::Abstract';
use Crypt::CBC;
use String::CRC32;
use Crypt::Rijndael;
use Dancer ();
use Dancer::Config 'setting';
use Storable ();
use MIME::Base64 ();
use vars '$VERSION';
$VERSION = '0.15';
# crydec
my $CIPHER = undef;
sub init {
my ($class) = @_;
my $key = setting("session_cookie_key") # XXX default to smth with warning
or die "The setting session_cookie_key must be defined";
$CIPHER = Crypt::CBC->new(
-key => $key,
-cipher => 'Rijndael',
);
}
sub new {
my $self = Dancer::Object::new(@_);
# id is not needed here because the whole serialized session is
# the "id"
return $self;
}
sub retrieve {
my ($class, $id) = @_;
my $ses = eval {
# 1. decrypt and deserialize $id
my $plain_text = _decrypt($id);
# 2. deserialize
$plain_text && Storable::thaw($plain_text);
};
$ses and $ses->{id} = $id;
return $ses;
}
sub create {
my $class = shift;
return Dancer::Session::Cookie->new(id => 'empty');
}
# session_name was introduced to Dancer::Session::Abstract in 1.176
# we have 1.130 as the minimum
sub session_name {
my $self = shift;
return eval { $self->SUPER::session_name } || setting("session_name") || "dancer.session";
}
sub flush {
my $self = shift;
# 1. serialize and encrypt session
delete $self->{id};
my $cipher_text = _encrypt(Storable::freeze($self));
my $session_name = $self->session_name;
Dancer::set_cookie(
$session_name => $cipher_text,
path => setting("session_cookie_path") || "/",
secure=> setting("session_secure"),
);
$self->{id} = $cipher_text;
return 1;
}
sub destroy {
my $self = shift;
delete Dancer::Cookies->cookies->{$self->session_name};
return 1;
}
sub _encrypt {
my $plain_text = shift;
my $crc32 = String::CRC32::crc32($plain_text);
# XXX should gzip data if it grows too big. CRC32 won't be needed
# then.
my $res =
MIME::Base64::encode($CIPHER->encrypt(pack('La*', $crc32, $plain_text)),
q{});
$res =~ tr{=+/}{_*-}; # cookie-safe Base64
return $res;
}
sub _decrypt {
my $cookie = shift;
$cookie =~ tr{_*-}{=+/};
$SIG{__WARN__} = sub {};
my ($crc32, $plain_text) = unpack "La*",
$CIPHER->decrypt(MIME::Base64::decode($cookie));
return $crc32 == String::CRC32::crc32($plain_text) ? $plain_text : undef;
}
1;
__END__
=pod
=head1 NAME
Dancer::Session::Cookie - Encrypted cookie-based session backend for Dancer
=head1 SYNOPSIS
Your F<config.yml>:
session: "cookie"
session_cookie_key: "this random key IS NOT very random"
=head1 DESCRIPTION
This module implements a session engine for sessions stored entirely
in cookies. Usually only B<session id> is stored in cookies and
the session data itself is saved in some external storage, e.g.
database. This module allows one to avoid using external storage at
all.
Since server cannot trust any data returned by client in cookies, this
module uses cryptography to ensure integrity and also secrecy. The
data your application stores in sessions is completely protected from
both tampering and analysis on the client-side.
=head1 CONFIGURATION
The setting B<session> should be set to C<cookie> in order to use this session
engine in a Dancer application. See L<Dancer::Config>.
A mandatory setting is needed as well: B<session_cookie_key>, which should
contain a random string of at least 16 characters (shorter keys are
not cryptographically strong using AES in CBC mode).
Here is an example configuration to use in your F<config.yml>:
session: "cookie"
session_cookie_key: "kjsdf07234hjf0sdkflj12*&(@*jk"
Compromising B<session_cookie_key> will disclose session data to
clients and proxies or eavesdroppers and will also allow tampering,
for example session theft. So, your F<config.yml> should be kept at
least as secure as your database passwords or even more.
Also, changing B<session_cookie_key> will have an effect of immediate
invalidation of all sessions issued with the old value of key.
B<session_cookie_path> can be used to control the path of the session
cookie. The default is /.
The global B<session_secure> setting is honoured and a secure (https
only) cookie will be used if set.
=head1 DEPENDENCY
This module depends on L<Crypt::CBC>, L<Crypt::Rijndael>,
L<String::CRC32>, L<Storable> and L<MIME::Base64>.
=head1 AUTHOR
This module has been written by Alex Kapranoff.
=head1 SEE ALSO
See L<Dancer::Session> for details about session usage in route handlers.
See L<Plack::Middleware::Session::Cookie>,
L<Catalyst::Plugin::CookiedSession>, L<Mojolicious::Controller/session> for alternative implementation of this mechanism.
=head1 COPYRIGHT
This module is copyright (c) 2009-2010 Alex Kapranoff <kappa@cpan.org>.
=head1 LICENSE
This module is free software and is released under the same terms as Perl
itself.
=cut
|