-SESSION_ID="$(update_session)"
-SET_COOKIE 0 session="$SESSION_ID" Path=/ SameSite=Strict HttpOnly
-SESSION_ID="${SESSION_ID%%-*}"
+new_session(){
+ local sid time sig
+
+ debug "Setting up new session"
+ sid="$(randomid)"
+ time=$(( $_DATE + $SESSION_TIMEOUT ))
+ sig="$(session_mac "$sid" "$time")"
+
+ SESSION_KEY="${sid} ${time} ${sig}"
+ SESSION_ID="${sid}"
+}
+
+SESSION_BIND() {
+ # Set tamper-proof authenticated cookie
+ local key="$1" value="$2"
+ SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" Path="/${_BASE#/}" SameSite=Strict HttpOnly
+}
+
+SESSION_VAR() {
+ # read authenticated cookie
+ # fail if value has been tampered with
+ local key="$1" value sig
+ value="$(COOKIE "$key")"
+ sig="${value##* }" value="${value% *}"
+ if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then
+ printf %s\\n "$value"
+ else
+ return 1
+ fi
+}
+
+SESSION_COOKIE() {
+ [ "$1" = new ] && new_session
+ SET_COOKIE 0 session="$SESSION_KEY" Path="/${_BASE#/}" SameSite=Strict HttpOnly
+}
+
+update_session || new_session