session_injector 0.0.1.snapshot → 0.0.1

data/README.md

@@ -0,0 +1,68 @@
+Overview
+========
+
+If you are developing an application that serves subdomains, the `:all` cookie store domain parameter will most likely serve your needs.  However if your application serves distinct domains, you will most likely encounter some difficulties, as secure browsers will not accept "third party cookies" (i.e. any cookies you issue for a different domain will be disregarded).
+
+There are a couple of approaches, neither of which are particularly elegant: http://stackoverflow.com/questions/263010/whats-your-favorite-cross-domain-cookie-sharing-approach
+
+This gem provides a middleware that implements a "handshake" protocol based on a token inserted into a URL parameter, which allows you to transparently re-establish a Rack/Rails session accross domains.  It parses incoming parameters for the handshake/token parameter, decrypts and verifies the token, and sets the session id in the request, thereby re-establishing the session on the target domain.
+
+Usage
+=====
+
+If you are using Rails, insert this into your `config/application.rb`:
+
+    config.middleware.insert_before ActionDispatch::Cookies, "Rack::Middleware::SessionInjector", :key => '_your_session'
+
+Configuration options:
+
+    # the 'key' for your session (if you have set a custom session key)
+    @session_id_key = options[:key]
+    # the encryption key. omit for a dynamically generated key
+    @token_key = options[:token_key] || generated_token_key
+    # receiver-enforced lifetime of token. default: 5 seconds
+    @enforced_lifetime = options[:token_lifetime]
+    # should we die when we recieve an invalid token, or just continue (without session injection naturally)
+    @die_on_handshake_failure = options[:die_on_handshake_failure]
+
+There are three public methods through which you can initiate the session transfer:
+
+    Rack::Middleware::SessionInjector.generate_handshake_token(request, target_domain, lifetime = nil)
+    Rack::Middleware::SessionInjector.generate_handshake_parameter(request, target_domain, lifetime = nil)
+    Rack::Middleware::SessionInjector.propagate_session(request, target_domain, lifetime = nil)
+
+you can append the parameter to a link:
+
+    link_to "http://otherdomain?#{Rack::Middleware::SessionInjector.generate_handshake_parameter(request, 'myotherhost')}"
+
+or tell the middleware to rewrite the Location header on an HTTP redirect response:
+ 
+    Rack::Middleware::SessionInjector.propagate_session(request, 'myotherhost')
+
+or you can just generate the token and use some custom method to convey it to the request on the target domain:
+
+    token = Rack::Middleware::SessionInjector.generate_handshake_token(request, 'myotherhost')
+
+Security
+========
+
+The "handshake" token is generated via `ActiveSupport::MessageEncryptor` using a dynamically generated key (although you can specify a static key yourself).
+
+The token data consists of:
+
+    handshake = {
+      :request_ip => request.ip,
+      :request_path => request.fullpath, # more for accounting/stats than anything else
+      :src_domain => request.host,
+      :tgt_domain => target_domain,
+      :token_create_time => Time.now.to_i,
+      # the most important thing
+      :session_id => extract_session_id(request, session_injector.session_id_key)
+    }
+
+This token is verified in the following manner:
+
+* client request ip must match
+* target domain must match
+* token must not be older than receiver-specified lifetime
+* token must not be older than sender-specified lifetime

data/lib/session_injector.rb

@@ -7,6 +7,10 @@ module Rack
     
       class InvalidHandshake < StandardError; end
       
+      RACK_COOKIE_STRING = 'rack.request.cookie_string'.freeze
+      RACK_COOKIE_HASH = 'rack.request.cookie_hash'.freeze
+      HTTP_COOKIE = 'HTTP_COOKIE'.freeze
+  
       DEFAULT_OPTIONS = {
         # use the AbstractStore default key as our session id key
         # if you have configured a custom session store key, you must
@@ -149,12 +153,29 @@ module Rack
         request = Rack::Request.new(env)
         token = request.params[HANDSHAKE_PARAM]
         return unless token
-        # decrypt the token and set the session id
+
+        # decrypt the token and get the session cookie value
         handshake = decrypt_handshake_token(token, env)
-        #env[@session_id_key] = handshake[:session_id] if handshake
-        request.cookies[@session_id_key] = handshake[:session_id]
+        return unless handshake
+
+        cookie_value = handshake[:session_id]
+
+        # fix up Rack env
+        # ensure the cookie string is set
+        env[HTTP_COOKIE] = [env[HTTP_COOKIE], "#{@session_id_key}=#{cookie_value}"].compact.join(';')
+        # Rack request object parses cookies on demand and stores data in internal env keys
+        # but the current implementation is not good about writing back through to the env
+        # Since requests objects are transient wrappers we have to be prepared to encounter an env
+        # that may already be initialized with some state
+        # if the cookie string has already been read by Rack, update Rack's internal cookie string variable
+        if env[RACK_COOKIE_STRING]
+          env[RACK_COOKIE_STRING] = [env[RACK_COOKIE_STRING], "#{@session_id_key}=#{cookie_value}"].compact.join(';')
+        end
+        # if the cookie string has already been read by Rack, update Rack's internal cookie hash variable
+        request = Rack::Request.new(env)
+        request.cookies[@session_id_key] = cookie_value # call cookies() to make Rack::Request do its stuff
       end
-      
+
       # decrypts a handshake token sent to us from a source domain
       def decrypt_handshake_token(token, env)
         handshake = ActiveSupport::MessageEncryptor.new(@token_key).decrypt_and_verify(token);

data/lib/session_injector/version.rb

@@ -1,5 +1,5 @@
 module Rack
   module SessionInjector
-    VERSION = "0.0.1.snapshot"
+    VERSION = "0.0.1"
   end
 end

metadata

@@ -1,14 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: session_injector
 version: !ruby/object:Gem::Version 
-  hash: -2083286358
-  prerelease: true
+  hash: 29
+  prerelease: false
   segments: 
   - 0
   - 0
   - 1
-  - snapshot
-  version: 0.0.1.snapshot
+  version: 0.0.1
 platform: ruby
 authors: 
 - Aaron Hamid
@@ -16,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2011-04-02 00:00:00 -04:00
+date: 2011-04-04 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -60,6 +59,7 @@ extra_rdoc_files: []
 files: 
 - lib/session_injector/version.rb
 - lib/session_injector.rb
+- README.md
 has_rdoc: true
 homepage: http://github.com/incandescent/session-injector
 licenses: []