From d6e0c1abbcd35d9d12b45338060402e4108cc50a Mon Sep 17 00:00:00 2001 From: =?utf8?q?Paul=20H=C3=A4nsch?= Date: Thu, 16 Sep 2021 01:57:47 +0200 Subject: [PATCH 1/1] function new_session to force session update, limit session cookies to _BASE path --- session.sh | 36 ++++++++++++++++++++++++++---------- 1 file changed, 26 insertions(+), 10 deletions(-) diff --git a/session.sh b/session.sh index 5b36ae0..8fb6236 100755 --- a/session.sh +++ b/session.sh @@ -75,6 +75,7 @@ checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA- update_session(){ local session sid time sig checksig + unset SESSION_KEY SESSION_ID read -r sid time sig <<-END $(POST session_key || COOKIE session) @@ -82,23 +83,38 @@ update_session(){ checksig="$(session_mac "$sid" "$time")" - if ! [ "$checksig" = "$sig" \ - -a "$time" -ge "$_DATE" \ - -a "$(printf %s "$sid" |checkid)" ] 2>&- + if [ "$checksig" = "$sig" \ + -a "$time" -ge "$_DATE" \ + -a "$(checkid "$sid")" ] 2>&- then - debug "Setting up new session" - sid="$(randomid)" + time=$(( $_DATE + $SESSION_TIMEOUT )) + sig="$(session_mac "$sid" "$time")" + + SESSION_KEY="${sid} ${time} ${sig}" + SESSION_ID="${sid}" + return 0 + else + return 1 fi +} + +new_session(){ + local sid time sig + + debug "Setting up new session" + sid="$(randomid)" time=$(( $_DATE + $SESSION_TIMEOUT )) sig="$(session_mac "$sid" "$time")" - printf %s\\n "${sid} ${time} ${sig}" + + SESSION_KEY="${sid} ${time} ${sig}" + SESSION_ID="${sid}" } SESSION_BIND() { # Set tamper-proof authenticated cookie local key="$1" value="$2" - SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" + SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" Path="/${_BASE#/}" SameSite=Strict HttpOnly } SESSION_VAR() { @@ -115,10 +131,10 @@ SESSION_VAR() { } SESSION_COOKIE() { - SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly + [ "$1" = new ] && new_session + SET_COOKIE 0 session="$SESSION_KEY" Path="/${_BASE#/}" SameSite=Strict HttpOnly } -SESSION_KEY="$(update_session)" -SESSION_ID="${SESSION_KEY%% *}" +update_session || new_session [ "$1" = nocookie ] || SESSION_COOKIE -- 2.39.2