RubyGems - encrypted_cookie - Versions diffs - 0.0.2 → 0.0.3 - Mend

encrypted_cookie 0.0.2 → 0.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

data.tar.gz.sig +3 -2
data/Manifest +1 -1
data/README.markdown +35 -0
data/Rakefile +1 -1
data/encrypted_cookie.gemspec +3 -3
data/lib/encrypted_cookie.rb +38 -6
data/pkg/encrypted_cookie-0.0.2.gem +0 -0
data/spec/encrypted_cookie_spec.rb +10 -1
metadata +5 -5
metadata.gz.sig +1 -1
data/test/demo.rb +0 -15

data.tar.gz.sig CHANGED Viewed

@@ -1,2 +1,3 @@
-o�9
-�]v+����6�����`]�-c�6��o�"�}$�!�?1j/KC���*U٫����y�7�7r�T>)c=@+�+d�s�h�
+~��4r=�<'��t�;=�p*��=���
+>�T(R�����z�
+�@��ϱ�w����)2~�<�Z�x<���+\��S~I���k}|"���c�"��@v�40�������D4�Ƭ9k���*�����(��$���B�ֻ4�����{�ߺ#�ͦ]�4�T^h����D4�Y�0����

data/Manifest CHANGED Viewed

@@ -3,5 +3,5 @@ README.markdown
 Rakefile
 encrypted_cookie.gemspec
 lib/encrypted_cookie.rb
+pkg/encrypted_cookie-0.0.2.gem
 spec/encrypted_cookie_spec.rb
-test/demo.rb

data/README.markdown CHANGED Viewed

@@ -0,0 +1,35 @@
+## Encrypted session cookies for Rack (and therefore Sinatra)
+The `encrypted_cookie` gem provides 128-bit-AES-encrypted, tamper-proof cookies
+for Rack through the class `Rack::Session::EncryptedCookie`.
+## How to use encrypted\_cookie
+    $ gem install encrypted_cookie
+Sinatra example:
+    require 'sinatra'
+    require 'encrypted_cookie'
+    use Rack::Session::EncryptedCookie,
+      :secret => TYPE_YOUR_LONG_RANDOM_STRING_HERE*
+    get '/' do
+      session[:foo] = 'bar'
+      "session: " + session.inspect
+    end
+_*_ Your `:secret` must be at least 16 bytes long and should be really random.
+## Encryption and integrity protection
+The cookie encryption method is 128-bit AES (with salt). Additionally, the
+cookies are integrity protected with Rack's built-in HMAC support, which means
+that if a user tampers with their cookie in any way, their session will
+immediately be reset to `{}` (empty hash).
+## Generating a good secret
+    require 'openssl'
+    puts OpenSSL::Random.random_bytes(16).inspect

data/Rakefile CHANGED Viewed

@@ -2,7 +2,7 @@ require 'rubygems'
 require 'rake'
 require 'echoe'
-Echoe.new('encrypted_cookie', '0.0.2') do |p|
+Echoe.new('encrypted_cookie', '0.0.3') do |p|
   p.description    = "Encrypted session cookies for Rack"
   p.url            = "http://github.com/cvonkleist/encrypted_cookie"
   p.author         = "Christian von Kleist"

data/encrypted_cookie.gemspec CHANGED Viewed

@@ -2,16 +2,16 @@
 Gem::Specification.new do |s|
   s.name = %q{encrypted_cookie}
-  s.version = "0.0.2"
+  s.version = "0.0.3"
   s.required_rubygems_version = Gem::Requirement.new(">= 1.2") if s.respond_to? :required_rubygems_version=
   s.authors = ["Christian von Kleist"]
   s.cert_chain = ["/home/cvk/.gemcert/gem-public_cert.pem"]
-  s.date = %q{2011-03-02}
+  s.date = %q{2011-03-03}
   s.description = %q{Encrypted session cookies for Rack}
   s.email = %q{cvonkleist at-a-place-called gmail.com}
   s.extra_rdoc_files = ["README.markdown", "lib/encrypted_cookie.rb"]
-  s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "spec/encrypted_cookie_spec.rb", "test/demo.rb"]
+  s.files = ["Manifest", "README.markdown", "Rakefile", "encrypted_cookie.gemspec", "lib/encrypted_cookie.rb", "pkg/encrypted_cookie-0.0.2.gem", "spec/encrypted_cookie_spec.rb"]
   s.homepage = %q{http://github.com/cvonkleist/encrypted_cookie}
   s.rdoc_options = ["--line-numbers", "--inline-source", "--title", "Encrypted_cookie", "--main", "README.markdown"]
   s.require_paths = ["lib"]

data/lib/encrypted_cookie.rb CHANGED Viewed

@@ -1,9 +1,29 @@
 require 'openssl'
-require 'rack/session/cookie'
+require 'rack/request'
+require 'rack/response'
 module Rack
   module Session
-    class EncryptedCookie < Cookie
+    # Rack::Session::EncryptedCookie provides AES-128-encrypted, tamper-proof
+    # cookie-based session management.
+    #
+    # The session is Marshal'd, HMAC'd, and encrypted.
+    #
+    # Example:
+    #
+    #     use Rack::Session::EncryptedCookie,
+    #       :secret => 'change_me',
+    #       :key => 'rack.session',
+    #       :domain => 'foo.com',
+    #       :path => '/',
+    #       :expire_after => 2592000
+    #
+    #     All parameters are optional except :secret.
+    class EncryptedCookie
       def initialize(app, options={})
         @app = app
         @key = options[:key] || "rack.session"
@@ -14,14 +34,24 @@ module Rack
           :expire_after => nil}.merge(options)
       end
+      def call(env)
+        load_session(env)
+        status, headers, body = @app.call(env)
+        commit_session(env, status, headers, body)
+      end
+      private
       def load_session(env)
         request = Rack::Request.new(env)
         session_data = request.cookies[@key]
         if session_data
-          session_data = decrypt(session_data)
-          session_data, digest = session_data.split("--")
-          session_data = nil  unless digest == generate_hmac(session_data)
+          #begin
+            session_data = decrypt(session_data)
+            session_data, digest = session_data.split("--")
+            session_data = nil  unless digest == generate_hmac(session_data)
+          #rescue OpenSSL::Cipher::Cipher
         end
         begin
@@ -56,7 +86,9 @@ module Rack
         [status, headers, body]
       end
-      private
+      def generate_hmac(data)
+        OpenSSL::HMAC.hexdigest(OpenSSL::Digest::SHA1.new, @secret, data)
+      end
       def encrypt(str)
         aes = OpenSSL::Cipher::Cipher.new('aes-128-cbc').encrypt

data/pkg/encrypted_cookie-0.0.2.gem ADDED Viewed

Binary file

data/spec/encrypted_cookie_spec.rb CHANGED Viewed

@@ -1,7 +1,6 @@
 require 'rack/test'
 require 'sinatra'
 require 'rspec'
-require 'ruby-debug'
 require 'cgi'
 require File.dirname(__FILE__) + '/../lib/encrypted_cookie'
@@ -81,6 +80,16 @@ describe EncryptedApp do
     lambda { plaintext = (aes.update(crypted_text) << aes.final) }.should raise_error("bad decrypt")
   end
+  it "should reset the session if someone messes with the crypted data" do
+    get '/set/foo/bar'
+    last_response.body.should == 'all set'
+    get '/'
+    last_response.body.should == 'session: {"foo"=>"bar"}'
+    rack_mock_session.cookie_jar.instance_variable_get(:@cookies).first.instance_variable_set(:@name_and_value, 'rack.session=lkjsdlfkjsd')
+    get '/'
+    last_response.body.should == 'session: {}'
+  end
 end
 describe UnencryptedApp do

metadata CHANGED Viewed

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification
 name: encrypted_cookie
 version: !ruby/object:Gem::Version
-  hash: 27
+  hash: 25
   prerelease: false
   segments:
   - 0
   - 0
-  - 2
-  version: 0.0.2
+  - 3
+  version: 0.0.3
 platform: ruby
 authors:
 - Christian von Kleist
@@ -36,7 +36,7 @@ cert_chain:
   DnOM3kD7rptG2g==
   -----END CERTIFICATE-----
-date: 2011-03-02 00:00:00 -05:00
+date: 2011-03-03 00:00:00 -05:00
 default_executable:
 dependencies: []
@@ -55,8 +55,8 @@ files:
 - Rakefile
 - encrypted_cookie.gemspec
 - lib/encrypted_cookie.rb
+- pkg/encrypted_cookie-0.0.2.gem
 - spec/encrypted_cookie_spec.rb
-- test/demo.rb
 has_rdoc: true
 homepage: http://github.com/cvonkleist/encrypted_cookie
 licenses: []

metadata.gz.sig CHANGED Viewed

	@@ -1 +1 @@
1	- +f7��\VPU�!��i�eh��p�ٙ?�;�P��o=�F#��p#\��{4+��o9P��o��Y��VF��7�ȏ)��~~ɝR&WAt��C��NK�˟{"�f�r��S�\|}��_�W0��g/��e��V�A~~�tY�BѲ��6a,i��;&.�w��C��~~F ~~��.&��F]8?�X1#�_~~
1	+ Ve��rH��A-�*�F�%�[��$�yy��7ڻ

data/test/demo.rb DELETED Viewed

@@ -1,15 +0,0 @@
-require 'sinatra'
-require '../lib/encrypted_cookie'
-use Rack::Session::EncryptedCookie,
-  :key => 'rack.session',
-  :secret => 'ASDFASDFASDJFsakdfji2j3oij2o3ij4l12kj3'
-get '/' do
-  "session = " + session.inspect
-end
-get '/set/:data' do
-  session[:data] = params[:data]
-  redirect '/'
-end