X-Git-Url: https://git.plutz.net/?p=cgilite;a=blobdiff_plain;f=session.sh;h=1f4699e441357303b4dd4b6e4daeff3af1bb47c8;hp=5b36ae032af4e818af91d4b73190a9f83614da15;hb=e02243e96d7cc400b63c3e856d0e80d4140c6805;hpb=a76f6a5931782adbae717678f8f92569ed0d5bcb diff --git a/session.sh b/session.sh index 5b36ae0..1f4699e 100755 --- a/session.sh +++ b/session.sh @@ -75,6 +75,7 @@ checkid(){ { [ $# -gt 0 ] && printf %s "$*" || cat; } | grep -m 1 -xE '[0-9a-zA- update_session(){ local session sid time sig checksig + unset SESSION_KEY SESSION_ID read -r sid time sig <<-END $(POST session_key || COOKIE session) @@ -82,23 +83,38 @@ update_session(){ checksig="$(session_mac "$sid" "$time")" - if ! [ "$checksig" = "$sig" \ - -a "$time" -ge "$_DATE" \ - -a "$(printf %s "$sid" |checkid)" ] 2>&- + if [ "$checksig" = "$sig" \ + -a "$time" -ge "$_DATE" \ + -a "$(checkid "$sid")" ] 2>&- then - debug "Setting up new session" - sid="$(randomid)" + time=$(( $_DATE + $SESSION_TIMEOUT )) + sig="$(session_mac "$sid" "$time")" + + SESSION_KEY="${sid} ${time} ${sig}" + SESSION_ID="${sid}" + return 0 + else + return 1 fi +} + +new_session(){ + local sid time sig + + debug "Setting up new session" + sid="$(randomid)" time=$(( $_DATE + $SESSION_TIMEOUT )) sig="$(session_mac "$sid" "$time")" - printf %s\\n "${sid} ${time} ${sig}" + + SESSION_KEY="${sid} ${time} ${sig}" + SESSION_ID="${sid}" } SESSION_BIND() { # Set tamper-proof authenticated cookie local key="$1" value="$2" - SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" + SET_COOKIE session "$key"="${value} $(session_mac "$value" "$SESSION_ID")" Path="/${_BASE#/}" SameSite=Strict HttpOnly } SESSION_VAR() { @@ -115,10 +131,8 @@ SESSION_VAR() { } SESSION_COOKIE() { - SET_COOKIE 0 session="$SESSION_KEY" Path=/ SameSite=Strict HttpOnly + [ "$1" = new ] && new_session + SET_COOKIE 0 session="$SESSION_KEY" Path="/${_BASE#/}" SameSite=Strict HttpOnly } -SESSION_KEY="$(update_session)" -SESSION_ID="${SESSION_KEY%% *}" - -[ "$1" = nocookie ] || SESSION_COOKIE +update_session || new_session