global_session 2.0.3 → 3.0.0

data/Rakefile

@@ -3,7 +3,7 @@ require 'rubygems'
 require 'rake'
 require 'right_develop'
 require 'spec/rake/spectask'
-require 'rake/gempackagetask'
+require 'rubygems/package_task'
 require 'rake/clean'
 require 'cucumber/rake/task'
 

data/VERSION

@@ -1 +1 @@
-2.0.3
+3.0.0

data/global_session.gemspec

@@ -5,7 +5,7 @@
 
 Gem::Specification.new do |s|
   s.name = %q{global_session}
-  s.version = "2.0.3"
+  s.version = "3.0.0"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Tony Spataro"]
@@ -36,6 +36,7 @@ Gem::Specification.new do |s|
     "lib/global_session/session/abstract.rb",
     "lib/global_session/session/v1.rb",
     "lib/global_session/session/v2.rb",
+    "lib/global_session/session/v3.rb",
     "rails/init.rb",
     "rails_generators/global_session/USAGE",
     "rails_generators/global_session/global_session_generator.rb",
@@ -54,51 +55,51 @@ Gem::Specification.new do |s|
     s.specification_version = 3
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_runtime_dependency(%q<right_support>, ["~> 2.5"])
-      s.add_runtime_dependency(%q<simple_uuid>, [">= 0.2.0"])
       s.add_runtime_dependency(%q<json>, ["~> 1.4"])
-      s.add_runtime_dependency(%q<msgpack>, ["~> 0.4"])
       s.add_runtime_dependency(%q<rack-contrib>, ["~> 1.0"])
-      s.add_development_dependency(%q<rake>, ["~> 0.8"])
-      s.add_development_dependency(%q<rspec>, ["~> 1.3"])
+      s.add_runtime_dependency(%q<right_support>, [">= 2.8.1", "< 3.0"])
+      s.add_runtime_dependency(%q<simple_uuid>, [">= 0.2.0"])
       s.add_development_dependency(%q<cucumber>, ["~> 1.0"])
-      s.add_development_dependency(%q<right_develop>, ["~> 1.2"])
+      s.add_development_dependency(%q<debugger>, ["~> 1.5"])
       s.add_development_dependency(%q<flexmock>, ["~> 0.8"])
-      s.add_development_dependency(%q<jeweler>, ["~> 1.8.3"])
       s.add_development_dependency(%q<httpclient>, [">= 0"])
+      s.add_development_dependency(%q<jeweler>, ["~> 1.8.3"])
+      s.add_development_dependency(%q<msgpack>, ["~> 0.4"])
+      s.add_development_dependency(%q<rake>, ["~> 0.8"])
+      s.add_development_dependency(%q<right_develop>, ["~> 1.2"])
+      s.add_development_dependency(%q<rspec>, ["~> 1.3"])
       s.add_development_dependency(%q<ruby-debug>, ["~> 0.10"])
-      s.add_development_dependency(%q<debugger>, ["~> 1.5"])
     else
-      s.add_dependency(%q<right_support>, ["~> 2.5"])
-      s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
       s.add_dependency(%q<json>, ["~> 1.4"])
-      s.add_dependency(%q<msgpack>, ["~> 0.4"])
       s.add_dependency(%q<rack-contrib>, ["~> 1.0"])
-      s.add_dependency(%q<rake>, ["~> 0.8"])
-      s.add_dependency(%q<rspec>, ["~> 1.3"])
+      s.add_dependency(%q<right_support>, [">= 2.8.1", "< 3.0"])
+      s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
       s.add_dependency(%q<cucumber>, ["~> 1.0"])
-      s.add_dependency(%q<right_develop>, ["~> 1.2"])
+      s.add_dependency(%q<debugger>, ["~> 1.5"])
       s.add_dependency(%q<flexmock>, ["~> 0.8"])
-      s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
       s.add_dependency(%q<httpclient>, [">= 0"])
+      s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
+      s.add_dependency(%q<msgpack>, ["~> 0.4"])
+      s.add_dependency(%q<rake>, ["~> 0.8"])
+      s.add_dependency(%q<right_develop>, ["~> 1.2"])
+      s.add_dependency(%q<rspec>, ["~> 1.3"])
       s.add_dependency(%q<ruby-debug>, ["~> 0.10"])
-      s.add_dependency(%q<debugger>, ["~> 1.5"])
     end
   else
-    s.add_dependency(%q<right_support>, ["~> 2.5"])
-    s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
     s.add_dependency(%q<json>, ["~> 1.4"])
-    s.add_dependency(%q<msgpack>, ["~> 0.4"])
     s.add_dependency(%q<rack-contrib>, ["~> 1.0"])
-    s.add_dependency(%q<rake>, ["~> 0.8"])
-    s.add_dependency(%q<rspec>, ["~> 1.3"])
+    s.add_dependency(%q<right_support>, [">= 2.8.1", "< 3.0"])
+    s.add_dependency(%q<simple_uuid>, [">= 0.2.0"])
     s.add_dependency(%q<cucumber>, ["~> 1.0"])
-    s.add_dependency(%q<right_develop>, ["~> 1.2"])
+    s.add_dependency(%q<debugger>, ["~> 1.5"])
     s.add_dependency(%q<flexmock>, ["~> 0.8"])
-    s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
     s.add_dependency(%q<httpclient>, [">= 0"])
+    s.add_dependency(%q<jeweler>, ["~> 1.8.3"])
+    s.add_dependency(%q<msgpack>, ["~> 0.4"])
+    s.add_dependency(%q<rake>, ["~> 0.8"])
+    s.add_dependency(%q<right_develop>, ["~> 1.2"])
+    s.add_dependency(%q<rspec>, ["~> 1.3"])
     s.add_dependency(%q<ruby-debug>, ["~> 0.10"])
-    s.add_dependency(%q<debugger>, ["~> 1.5"])
   end
 end
 

data/lib/global_session/directory.rb

@@ -99,7 +99,6 @@ module GlobalSession
     #
     # === Parameters
     # cookie(String):: DEPRECATED - Optional, serialized global session cookie. If none is supplied, a new session is created.
-    # valid_signature_digest(String):: DEPRECATED -  Optional,
     #
     # === Return
     # session(Session):: the newly-initialized session
@@ -109,20 +108,24 @@ module GlobalSession
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
     # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
-    def create_session(cookie=nil, valid_signature_digest=nil)
+    def create_session(cookie=nil)
       forced_version = configuration['cookie']['version']
 
       if cookie.nil?
         # Create a legitimately new session
         case forced_version
+        when 3, nil
+          Session::V3.new(self, cookie)
+        when 2
+          Session::V2.new(self, cookie)
         when 1
-          Session::V1.new(self, cookie, valid_signature_digest)
+          Session::V1.new(self, cookie)
         else
-          Session.new(self, cookie, valid_signature_digest)
+          raise ArgumentError, "Unknown value #{forced_version} for configuration.cookie.version" 
         end
       else
         warn "GlobalSession::Directory#create_session with an existing session is DEPRECATED -- use #load_session instead"
-        load_session(cookie, valid_signature_digest)
+        load_session(cookie)
       end
     end
 
@@ -130,7 +133,6 @@ module GlobalSession
     #
     # === Parameters
     # cookie(String):: Optional, serialized global session cookie. If none is supplied, a new session is created.
-    # valid_signature_digest(String):: Optional,
     #
     # === Return
     # session(Session):: the newly-initialized session
@@ -140,8 +142,8 @@ module GlobalSession
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
     # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
-    def load_session(cookie, valid_signature_digest=nil)
-      Session.new(self, cookie, valid_signature_digest)
+    def load_session(cookie)
+      Session.new(self, cookie)
     end
 
     def local_authority_name

data/lib/global_session/encoding.rb

@@ -19,6 +19,15 @@
 # OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
+# Standard library (or possibly gem) dependencies
+require 'json'
+
+begin
+  require 'msgpack'
+rescue LoadError => e
+  # Msgpack is optional (only required for V2 session support)
+end
+
 module GlobalSession
   # Various encoding (not encryption!) techniques used by the global session plugin.
   #
@@ -26,6 +35,10 @@ module GlobalSession
     # JSON serializer, used to serialize Hash objects in a form suitable
     # for stuffing into a cookie.
     #
+    # Note that the #load method does not have the serialization semantics of the
+    # Marshal/YAML load/dump interface; any embedded Ruby objects will remain in
+    # their hash-serialized form. (Global session contents are not trustworthy enough
+    # to allow Ruby object serialization.)
     module JSON
       # Unserialize JSON to Hash.
       #
@@ -35,7 +48,7 @@ module GlobalSession
       # === Return
       # value(Hash):: An unserialized Ruby Hash
       def self.load(json)
-        ::JSON.load(json)
+        ::JSON.parse(json)
       end
 
       # Serialize Hash to JSON document.
@@ -46,7 +59,7 @@ module GlobalSession
       # === Return
       # json(String):: A JSON-serialized representation of +value+
       def self.dump(object)
-        return object.to_json
+        return ::JSON.dump(object)
       end
     end
 
@@ -54,11 +67,19 @@ module GlobalSession
     # for serializers.
     module Msgpack
       def self.load(binary)
-        MessagePack.unpack(binary)
+        if defined?(MessagePack)
+          MessagePack.unpack(binary)
+        else
+          raise NotImplementedError, "::MessagePack undefined; please install 'msgpack' gem to enable this optional functionality"
+        end
       end
 
       def self.dump(object)
-        object.to_msgpack
+        if object.respond_to?(:to_msgpack)
+          object.to_msgpack
+        else
+          raise NotImplementedError, "#to_msgpack unavailable; please install 'msgpack' gem to enable this optional functionality"
+        end
       end
     end
 

data/lib/global_session/rack.rb

@@ -157,7 +157,6 @@ module GlobalSession
         return unless @directory.local_authority_name
         return if env['global_session.req.update'] == false
 
-        domain = @configuration['cookie']['domain'] || env['SERVER_NAME']
         session = env['global_session']
 
         if session
@@ -172,11 +171,14 @@ module GlobalSession
           expires = @configuration['ephemeral'] ? nil : session.expired_at
           unless env['rack.cookies'][@cookie_name] == value
             env['rack.cookies'][@cookie_name] =
-                {:value => value, :domain => domain, :expires => expires, :httponly=>true}
+                {:value => value,
+                 :domain => cookie_domain(env),
+                 :expires => expires,
+                 :httponly=>true}
           end
         else
           # write an empty cookie
-          env['rack.cookies'][@cookie_name] = {:value => nil, :domain => domain, :expires => Time.at(0)}
+          wipe_cookie(env)
         end
       rescue Exception => e
         wipe_cookie(env)
@@ -191,8 +193,9 @@ module GlobalSession
         return unless @directory.local_authority_name
         return if env['global_session.req.update'] == false
 
-        domain = @configuration['cookie']['domain'] || env['SERVER_NAME']
-        env['rack.cookies'][@cookie_name] = {:value => nil, :domain => domain, :expires => Time.at(0)}
+        env['rack.cookies'][@cookie_name] = {:value => nil,
+                                             :domain => cookie_domain(env),
+                                             :expires => Time.at(0)}
       end
 
       # Handle exceptions that occur during app invocation. This will either save the error
@@ -234,6 +237,26 @@ module GlobalSession
 
         true
       end
+
+      # Determine the domain name for which we should set the cookie. Uses the domain specified
+      # in the configuration if one is found; otherwise, uses the SERVER_NAME from the request
+      # but strips off the first component if the domain name contains more than two components.
+      #
+      # === Parameters
+      # env(Hash):: the Rack environment hash
+      def cookie_domain(env)
+        if @configuration['cookie'].key?('domain')
+          # Use the explicitly provided domain name
+          domain = @configuration['cookie']['domain']
+        else
+          # Use the server name, but strip off the most specific component
+          parts = env['SERVER_NAME'].split('.')
+          parts = parts[1..-1] if parts.length > 2
+          domain = parts.join('.')
+        end
+
+        domain
+      end
     end
   end
 end

data/lib/global_session/rails.rb

@@ -20,6 +20,8 @@
 # WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 
 require 'rack/contrib/cookies'
+
+# lib/global_session.rb does this for us, but just in case this file is required directly...
 require 'action_pack'
 require 'action_controller'
 

data/lib/global_session/session/abstract.rb

@@ -15,10 +15,26 @@ module GlobalSession::Session
     # ExpiredSession:: if the session contained in the cookie has expired
     # MalformedCookie:: if the cookie was corrupt or malformed
     # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
-    def initialize(directory)
+    def initialize(directory, cookie=nil)
       @directory = directory
       @signed = {}
       @insecure = {}
+
+      @configuration = directory.configuration
+      @schema_signed = Set.new((@configuration['attributes']['signed']))
+      @schema_insecure = Set.new((@configuration['attributes']['insecure']))
+
+      if cookie && !cookie.empty?
+        load_from_cookie(cookie)
+      elsif @directory.local_authority_name
+        create_from_scratch
+      else
+        create_invalid
+      end
+    end
+
+    def to_s
+      inspect
     end
 
     # @return a representation of the object suitable for printing to the console
@@ -51,6 +67,45 @@ module GlobalSession::Session
       {}
     end
 
+    # @return [true,false] true if this session was created in-process, false if it was initialized from a cookie
+    def new_record?
+      @cookie.nil?
+    end
+
+    # Determine whether the session is valid. This method simply delegates to the
+    # directory associated with this session.
+    #
+    # === Return
+    # valid(true|false):: True if the session is valid, false otherwise
+    def valid?
+      @directory.valid_session?(@id, @expired_at)
+    end
+
+    # Determine whether the global session schema allows a given key to be placed
+    # in the global session.
+    #
+    # === Parameters
+    # key(String):: The name of the key
+    #
+    # === Return
+    # supported(true|false):: Whether the specified key is supported
+    def supports_key?(key)
+      @schema_signed.include?(key) || @schema_insecure.include?(key)
+    end
+
+    # Determine whether this session contains a value with the specified key.
+    #
+    # === Parameters
+    # key(String):: The name of the key
+    #
+    # === Return
+    # contained(true|false):: Whether the session currently has a value for the specified key.
+    def has_key?(key)
+      @signed.has_key?(key) || @insecure.has_key?(key)
+    end
+
+    alias :key? :has_key?
+
     # Invalidate this session by reporting its UUID to the Directory.
     #
     # === Return
@@ -79,5 +134,17 @@ module GlobalSession::Session
         raise GlobalSession::NoAuthority, 'Cannot change secure session attributes; we are not an authority'
       end
     end
+
+    def load_from_cookie(cookie)
+      raise NotImplementedError, "Subclass responsibility"
+    end
+
+    def create_from_scratch
+      raise NotImplementedError, "Subclass responsibility"
+    end
+
+    def create_invalid
+      raise NotImplementedError, "Subclass responsibility"
+    end
   end
 end

data/lib/global_session/session/v1.rb

@@ -24,9 +24,20 @@ require 'set'
 require 'zlib'
 
 module GlobalSession::Session
-  # Global session V1 uses JSON serialization and Zlib compression. Its encoding looks something
-  # like this:
+  # V1 uses JSON serialization and Zlib compression. Its JSON structure is a Hash
+  # with the following format:
+  #  {'id': <uuid_string> ,
+  #   'a': <signing_authority_string>,
+  #   'tc': <creation_timestamp_integer>,
+  #   'te': <expiration_timestamp_integer>,
+  #   'ds': {<signed_data_hash>},
+  #   'dx': {<unsigned_data_hash>},
+  #   's': <binary_signature_string>}
   #
+  # Limitations of V1 include the following:
+  # * Compressing the JSON usually INCREASES the size of the compressed data
+  # * The sign and verify algorithms, while safe, do not comply fully with PKCS7; they rely on the
+  #   OpenSSL low-level crypto API instead of using the higher-level EVP (envelope) API.
   class V1 < Abstract
     # Utility method to decode a cookie; good for console debugging. This performs no
     # validation or security check of any sort.
@@ -39,53 +50,12 @@ module GlobalSession::Session
       return GlobalSession::Encoding::JSON.load(json)
     end
 
-    # Create a new global session object.
-    #
-    # === Parameters
-    # directory(Directory):: directory implementation that the session should use for various operations
-    # cookie(String):: Optional, serialized global session cookie. If none is supplied, a new session is created.
-    # valid_signature_digest(String):: Optional, already-trusted signature. If supplied, the expensive RSA-verify operation will be skipped if the cookie's signature matches the value supplied.
-    #
-    # ===Raise
-    # InvalidSession:: if the session contained in the cookie has been invalidated
-    # ExpiredSession:: if the session contained in the cookie has expired
-    # MalformedCookie:: if the cookie was corrupt or malformed
-    # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
-    def initialize(directory, cookie=nil, valid_signature_digest=nil)
-      super(directory)
-      @configuration = directory.configuration
-      @schema_signed = Set.new((@configuration['attributes']['signed']))
-      @schema_insecure = Set.new((@configuration['attributes']['insecure']))
-
-      if cookie && !cookie.empty?
-        load_from_cookie(cookie, valid_signature_digest)
-      elsif @directory.local_authority_name
-        create_from_scratch
-      else
-        create_invalid
-      end
-    end
-
-    # @return [true,false] true if this session was created in-process, false if it was initialized from a cookie
-    def new_record?
-      @cookie.nil?
-    end
-
-    # Determine whether the session is valid. This method simply delegates to the
-    # directory associated with this session.
-    #
-    # === Return
-    # valid(true|false):: True if the session is valid, false otherwise
-    def valid?
-      @directory.valid_session?(@id, @expired_at)
-    end
-
     # Serialize the session to a form suitable for use with HTTP cookies. If any
     # secure attributes have changed since the session was instantiated, compute
     # a fresh RSA signature.
     #
     # === Return
-    # cookie(String):: The B64cookie-encoded Zlib-compressed JSON-serialized global session hash
+    # cookie(String):: Base64Cookie-encoded, Zlib-compressed JSON-serialized global session
     def to_s
       if @cookie && !@dirty_insecure && !@dirty_secure
         #use cached cookie if nothing has changed
@@ -116,31 +86,6 @@ module GlobalSession::Session
       return GlobalSession::Encoding::Base64Cookie.dump(zbin)
     end
 
-    # Determine whether the global session schema allows a given key to be placed
-    # in the global session.
-    #
-    # === Parameters
-    # key(String):: The name of the key
-    #
-    # === Return
-    # supported(true|false):: Whether the specified key is supported
-    def supports_key?(key)
-      @schema_signed.include?(key) || @schema_insecure.include?(key)
-    end
-
-    # Determine whether this session contains a value with the specified key.
-    #
-    # === Parameters
-    # key(String):: The name of the key
-    #
-    # === Return
-    # contained(true|false):: Whether the session currently has a value for the specified key.
-    def has_key?(key)
-      @signed.has_key?(key) || @insecure.has_key?(key)
-    end
-
-    alias :key? :has_key?
-
     # Return the keys that are currently present in the global session.
     #
     # === Return
@@ -269,7 +214,7 @@ module GlobalSession::Session
       return output
     end
 
-    def load_from_cookie(cookie, valid_signature_digest) # :nodoc:
+    def load_from_cookie(cookie) # :nodoc:
       begin
         zbin = GlobalSession::Encoding::Base64Cookie.load(cookie)
         json = Zlib::Inflate.inflate(zbin)
@@ -288,15 +233,13 @@ module GlobalSession::Session
       insecure = hash.delete('dx')
       signature = hash.delete('s')
 
-      unless valid_signature_digest == digest(signature)
-        #Check signature
-        expected = canonical_digest(hash)
-        signer = @directory.authorities[authority]
-        raise SecurityError, "Unknown signing authority #{authority}" unless signer
-        got = signer.public_decrypt(GlobalSession::Encoding::Base64Cookie.load(signature))
-        unless (got == expected)
-          raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
-        end
+      #Check signature
+      expected = canonical_digest(hash)
+      signer = @directory.authorities[authority]
+      raise SecurityError, "Unknown signing authority #{authority}" unless signer
+      got = signer.public_decrypt(GlobalSession::Encoding::Base64Cookie.load(signature))
+      unless (got == expected)
+        raise SecurityError, "Signature mismatch on global session cookie; tampering suspected"
       end
 
       #Check trust in signing authority

data/lib/global_session/session/v2.rb

@@ -22,10 +22,24 @@
 # Standard library dependencies
 require 'set'
 
-# Dependencies on other gems
-require 'msgpack'
-
 module GlobalSession::Session
+  # Global session V2 uses msgpack serialization and no compression. Its msgpack structure is an
+  # Array with the following format:
+  #  [<uuid_string>,
+  #   <signing_authority_string>,
+  #   <creation_timestamp_integer>,
+  #   <expiration_timestamp_integer>,
+  #   {<signed_data_hash>},
+  #   {<unsigned_data_hash>},
+  #   <binary_signature_string>]
+  #
+  # The design goal of V2 is to minimize the size of the base64-encoded session state in order
+  # to make GlobalSession more amenable to use as a browser cookie.
+  #
+  # Limitations of V2 include the following:
+  # * Some Ruby implementations (e.g. JRuby) lack a msgpack library
+  # * The sign and verify algorithms, while safe, do not comply fully with PKCS7; they rely on the
+  #   OpenSSL low-level crypto API instead of using the higher-level EVP (envelope) API.
   class V2 < Abstract
     # Utility method to decode a cookie; good for console debugging. This performs no
     # validation or security check of any sort.
@@ -37,53 +51,12 @@ module GlobalSession::Session
       return GlobalSession::Encoding::Msgpack.load(msgpack)
     end
 
-    # Create a new global session object.
-    #
-    # === Parameters
-    # directory(Directory):: directory implementation that the session should use for various operations
-    # cookie(String):: Optional, serialized global session cookie. If none is supplied, a new session is created.
-    # unused(Object):: Optional, already-trusted signature. This is ignored for v2.
-    #
-    # ===Raise
-    # InvalidSession:: if the session contained in the cookie has been invalidated
-    # ExpiredSession:: if the session contained in the cookie has expired
-    # MalformedCookie:: if the cookie was corrupt or malformed
-    # SecurityError:: if signature is invalid or cookie is not signed by a trusted authority
-    def initialize(directory, cookie=nil)
-      super(directory)
-      @configuration = directory.configuration
-      @schema_signed = Set.new((@configuration['attributes']['signed']))
-      @schema_insecure = Set.new((@configuration['attributes']['insecure']))
-
-      if cookie && !cookie.empty?
-        load_from_cookie(cookie)
-      elsif @directory.local_authority_name
-        create_from_scratch
-      else
-        create_invalid
-      end
-    end
-
-    # @return [true,false] true if this session was created in-process, false if it was initialized from a cookie
-    def new_record?
-      @cookie.nil?
-    end
-
-    # Determine whether the session is valid. This method simply delegates to the
-    # directory associated with this session.
-    #
-    # === Return
-    # valid(true|false):: True if the session is valid, false otherwise
-    def valid?
-      @directory.valid_session?(@id, @expired_at)
-    end
-
     # Serialize the session to a form suitable for use with HTTP cookies. If any
     # secure attributes have changed since the session was instantiated, compute
     # a fresh RSA signature.
     #
     # === Return
-    # cookie(String):: The B64cookie-encoded Zlib-compressed Msgpack-serialized global session hash
+    # cookie(String):: Base64Cookie-encoded, Msgpack-serialized global session
     def to_s
       if @cookie && !@dirty_insecure && !@dirty_secure
         #use cached cookie if nothing has changed
@@ -117,31 +90,6 @@ module GlobalSession::Session
       return GlobalSession::Encoding::Base64Cookie.dump(msgpack)
     end
 
-    # Determine whether the global session schema allows a given key to be placed
-    # in the global session.
-    #
-    # === Parameters
-    # key(String):: The name of the key
-    #
-    # === Return
-    # supported(true|false):: Whether the specified key is supported
-    def supports_key?(key)
-      @schema_signed.include?(key) || @schema_insecure.include?(key)
-    end
-
-    # Determine whether this session contains a value with the specified key.
-    #
-    # === Parameters
-    # key(String):: The name of the key
-    #
-    # === Return
-    # contained(true|false):: Whether the session currently has a value for the specified key.
-    def has_key?(key)
-      @signed.has_key?(key) || @insecure.has_key?(key)
-    end
-
-    alias :key? :has_key?
-
     # Return the keys that are currently present in the global session.
     #
     # === Return
@@ -314,12 +262,10 @@ module GlobalSession::Session
 
       begin
         signed_hash.verify!(signature, expired_at)
-      rescue SecurityError => e
-        if e.message =~ /expired/
-          raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
-        else
-          raise SecurityError, "Global session verification failure; suspected tampering: " + e.message
-        end
+      rescue RightSupport::Crypto::ExpiredSignature
+        raise GlobalSession::ExpiredSession, "Session expired at #{expired_at}"
+      rescue RightSupport::Crypto::InvalidSignature => e
+        raise SecurityError, "Global session signature verification failed: " + e.message
       end
 
       #Check other validity (delegate to directory)