escaping features

[cgilite] / session.sh

#!/bin/sh

[ -n "$include_session" ] && return 0
include_session="$0"

server_key(){
  IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
  if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then
    dd count=1 bs=512 if=/dev/urandom \
    | tee "$IDFILE"
  fi 2>&-
}

slopecode(){
  # 6-Bit Code that retains sort order of input data, while beeing safe to use
  # in ascii transmissions, unix file names, HTTP URLs, and HTML attributes

  uuencode -m - | sed '
    1d;$d; 
    y;ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/;0123456789:=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz;
  '
}

randomid(){
  dd bs=12 count=1 if=/dev/urandom 2>&- \
  | slopecode
}

timeid(){
  d=$(($(date +%s) % 4294967296))
  { printf "$(
      printf \\%o \
        $((d / 16777216 % 256)) \
        $((d / 65536 % 256)) \
        $((d / 256 % 256)) \
        $((d % 256))
    )"
    dd bs=8 count=1 if=/dev/urandom 2>&-
  } | slopecode
}

checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }

update_session(){
  local session sid time sig serverkey checksig

  IFS=- read -r sid time sig <<-END
        $(COOKIE session)
        END
  serverkey="$(server_key)"
  
  checksig="$(printf %s "$sid" "$time" "$serverkey" | sha256sum)"
  checksig="${checksig%% *}"
  d=$(date +%s)
  
  if [ "$checksig" != "$sig" \
    -o "$time" -lt "$d" \
    -o ! "$(printf %s "$sid" |checkid)" ] 2>&-
  then
    debug Setting up new session
    sid="$(randomid)"
  fi

  time=$(( $(date +%s) + 7200 ))
  sig="$(printf %s "$sid" "$time" "$serverkey" |sha256sum)"
  sig="${sig%% *}"
  printf %s\\n "${sid}-${time}-${sig}"
}

SESSION_ID="$(update_session)"
SET_COOKIE 0 session="$SESSION_ID" Path=/ SameSite=Strict HttpOnly
SESSION_ID="${SESSION_ID%%-*}"