X-Git-Url: http://git.plutz.net/?a=blobdiff_plain;f=session.sh;h=0a2a2e8b6583ad95c1d95735de392f9d64e35615;hb=a836764660cf5db4cc02ffd9ea1ddb30aaa432f5;hp=3f3839ae8b167975a5e5231582509c5484d1f025;hpb=41bcab02ff4b11d22a2624e7afabc50e9c33ae2f;p=cgilite diff --git a/session.sh b/session.sh index 3f3839a..0a2a2e8 100755 --- a/session.sh +++ b/session.sh @@ -3,9 +3,12 @@ [ -n "$include_session" ] && return 0 include_session="$0" +_DATE="$(date +%s)" +SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}" + server_key(){ IDFILE="${IDFILE:-${_DATA:-.}/serverkey}" - if ! grep -m1 -xE '.{512}' "$IDFILE"; then + if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then dd count=1 bs=512 if=/dev/urandom \ | tee "$IDFILE" fi 2>&- @@ -21,13 +24,21 @@ slopecode(){ ' } +session_mac(){ + if which openssl >/dev/null; then + openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode + else + { cat; server_key; } |sha256sum |cut -d\ -f1 + fi +} + randomid(){ - dd bs=12 count=1 if=/dev/urandom \ - | slopecode 2>&- + dd bs=12 count=1 if=/dev/urandom 2>&- \ + | slopecode } timeid(){ - d=$(($(date +%s) % 4294967296)) + d=$(($_DATE % 4294967296)) { printf "$( printf \\%o \ $((d / 16777216 % 256)) \ @@ -35,34 +46,43 @@ timeid(){ $((d / 256 % 256)) \ $((d % 256)) )" - dd bs=8 count=1 if=/dev/urandom - } | slopecode 2>&- + dd bs=8 count=1 if=/dev/urandom 2>&- + } | slopecode } -checkid(){ grep -m 1 -xE '[0-9a-zA-Z:_]{16}'; } +checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; } + +transid(){ + # transaction ID to modify a given file + local file="$1" + { stat -c %F%i%n%N%s%Y "$file" 2>&- + printf %s "$SESSION_ID" + } | session_mac +} update_session(){ local session sid time sig serverkey checksig IFS=- read -r sid time sig <<-END - $(COOKIE session) + $(POST session_key || COOKIE session) END serverkey="$(server_key)" - checksig="$(printf %s "$sid" "$time" "$serverkey" | sha256sum)" - checksig="${checksig%% *}" - d=$(date +%s) + checksig="$(printf %s "$sid" "$time" |session_mac)" - if [ "$checksig" != "$sig" -o "$time" -lt "$d" ] 2>&-; then + if ! [ "$checksig" = "$sig" \ + -a "$time" -ge "$_DATE" \ + -a "$(printf %s "$sid" |checkid)" ] 2>&- + then + debug "Setting up new session" sid="$(randomid)" fi - time=$(( $(date +%s) + 7200 )) - sig="$(printf %s "$sid" "$time" "$serverkey" |sha256sum)" - sig="${sig%% *}" + time=$(( $_DATE + $SESSION_TIMEOUT )) + sig="$(printf %s "$sid" "$time" |session_mac)" printf %s\\n "${sid}-${time}-${sig}" } -SESSION_ID="$(update_session)" -SET_COOKIE 0 "session=$SESSION_ID" HttpOnly -SESSION_ID="${SESSION_ID%%-*}" +SESSION_KEY="$(update_session)" +SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly +SESSION_ID="${SESSION_KEY%%-*}"