allow suppression of default session cookie

[cgilite] / session.sh

diff --git a/session.sh b/session.sh
index 8929ab3de62638fa4084cbf3f6d50ba5510ec960..5b36ae032af4e818af91d4b73190a9f83614da15 100755 (executable)
--- a/session.sh
+++ b/session.sh
@@ -16,8 +16,16 @@ fi
 if which openssl >/dev/null; then
   session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode; }
 else
-  # sham hmac if openssl is unavailable
-  session_mac(){ { [ $# -gt 0 ] && printf %s "$*" || cat; server_key; } | sha256sum |cut -d\  -f1; }
+  # Gonzo MAC if openssl is unavailable
+  session_mac(){
+    { server_key | dd status=none bs=256 count=1 skip=1
+      { server_key | dd status=none bs=256 count=1
+        [ $# -gt 0 ] && printf %s "$*" || cat
+      } \
+      | sha256sum -;
+    } \
+    | sha256sum | cut -d\  -f1
+  }
 fi
 
 server_key(){
@@ -106,6 +114,11 @@ SESSION_VAR() {
   fi
 }
 
+SESSION_COOKIE() {
+  SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
+}
+
 SESSION_KEY="$(update_session)"
-SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
 SESSION_ID="${SESSION_KEY%% *}"
+
+[ "$1" = nocookie ] || SESSION_COOKIE