introduce functions for cookie based cryptographically signed session variables

[cgilite] / session.sh
diff --git a/session.sh b/session.sh

index 60ae57734a6b1e659460139c7b1b497fae5d866b..b52ac0a5cc6fab71ba8a7926c27ac692a5c867de 100755 (executable)
--- a/session.sh
+++ b/session.sh
@@ -3,6 +3,9 @@
  [ -n "$include_session" ] && return 0
  include_session="$0"
  
+_DATE="$(date +%s)"
+SESSION_TIMEOUT="${SESSION_TIMEOUT:-7200}"
+
  server_key(){
    IDFILE="${IDFILE:-${_DATA:-.}/serverkey}"
    if [ "$(stat -c %s "$IDFILE")" -ne 512 ] || ! cat "$IDFILE"; then
@@ -21,13 +24,24 @@ slopecode(){
    '
  }
  
+session_mac(){
+  local info
+  [ $# -eq 0 ] && info="$(cat)" || info="$*"
+
+  if which openssl >/dev/null; then
+    printf %s "$info" |openssl dgst -sha1 -hmac "$(server_key)" -binary |slopecode
+  else
+    { printf %s "$info"; server_key; } |sha256sum |cut -d\  -f1
+  fi
+}
+
  randomid(){
    dd bs=12 count=1 if=/dev/urandom 2>&- \
    | slopecode
  }
  
  timeid(){
-  d=$(($(date +%s) % 4294967296))
+  d=$(($_DATE % 4294967296))
    { printf "$(
        printf \\%o \
          $((d / 16777216 % 256)) \
@@ -39,34 +53,53 @@ timeid(){
    } | slopecode
  }
  
-checkid(){ grep -m 1 -xE '[0-9a-zA-Z:_]{16}'; }
+checkid(){ grep -m 1 -xE '[0-9a-zA-Z:=]{16}'; }
+
+transid(){
+  # transaction ID to modify a given file
+  local file="$1"
+  session_mac "$(stat -c %F%i%n%N%s%Y "$file" 2>&-)" "$SESSION_ID"
+}
  
  update_session(){
-  local session sid time sig serverkey checksig
+  local session sid time sig checksig
  
-  IFS=- read -r sid time sig <<-END
-       $(COOKIE session)
+  read -r sid time sig <<-END
+       $(POST session_key || COOKIE session)
         END
-  serverkey="$(server_key)"
    
-  checksig="$(printf %s "$sid" "$time" "$serverkey" | sha256sum)"
-  checksig="${checksig%% *}"
-  d=$(date +%s)
+  checksig="$(session_mac "$sid" "$time")"
    
-  if [ "$checksig" != "$sig" \
-    -o "$time" -lt "$d" \
-    -o ! "$(printf %s "$sid" |checkid)" ] 2>&-
+  if ! [ "$checksig" = "$sig" \
+    -a "$time" -ge "$_DATE" \
+    -a "$(printf %s "$sid" |checkid)" ] 2>&-
    then
-    debug Setting up new session
+    debug "Setting up new session"
      sid="$(randomid)"
    fi
  
-  time=$(( $(date +%s) + 7200 ))
-  sig="$(printf %s "$sid" "$time" "$serverkey" |sha256sum)"
-  sig="${sig%% *}"
-  printf %s\\n "${sid}-${time}-${sig}"
+  time=$(( $_DATE + $SESSION_TIMEOUT ))
+  sig="$(session_mac "$sid" "$time")"
+  printf %s\\n "${sid} ${time} ${sig}"
+}
+
+SESSION_KEY="$(update_session)"
+SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly
+SESSION_ID="${SESSION_KEY%% *}"
+
+SESSION_BIND() {
+  local key="$1" value="$2"
+  SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")"
  }
  
-SESSION_ID="$(update_session)"
-SET_COOKIE 0 session="$SESSION_ID" Path=/ SameSite=Strict HttpOnly
-SESSION_ID="${SESSION_ID%%-*}"
+SESSION_VAR() {
+  local key="$1"
+  local value sig
+  value="$(COOKIE "$key")"
+  sig="${value##* }" value="${value% *}"
+  if [ "$sig" = "$(session_mac "$value" "$SESSION_ID")" ]; then
+    printf %s\\n "$value"
+  else
+    return 1
+  fi
+}