From bd9afc8f964fe4a3ddd9a3a73bddeaadab500be5 Mon Sep 17 00:00:00 2001 From: Thomas Date: Thu, 10 Jul 2014 08:44:46 -0700 Subject: [PATCH 1/3] Removing dead code. --- pg-sessions.lisp | 8 -------- 1 file changed, 8 deletions(-) diff --git a/pg-sessions.lisp b/pg-sessions.lisp index 1db7573..19250b7 100644 --- a/pg-sessions.lisp +++ b/pg-sessions.lisp @@ -215,11 +215,3 @@ SESSION \(the default is the current session) if it exists." (,%symbol ,symbol)) (setf (slot-value ,%session ,%symbol) ,new-value) (save-pg-session ,%session)))) - -;; (defun reset-sessions (&optional (acceptor *acceptor*)) -;; "Removes ALL stored sessions of ACCEPTOR." -;; (with-session-lock-held ((session-db-lock acceptor)) -;; (loop for (nil . session) in (session-db acceptor) -;; do (acceptor-remove-session acceptor session)) -;; (setq *session-db* nil)) -;; (values)) From 8f3ab1062c0c55bf70240849bb2700f07b9a8425 Mon Sep 17 00:00:00 2001 From: Thomas Date: Thu, 10 Jul 2014 08:49:21 -0700 Subject: [PATCH 2/3] Removing user agent and remote IP from session hash string computation and pg session storage. Including those is pretty much bullshit since they are so easy to fake. It isn't worth the extra complexity or storage space. --- pg-sessions.lisp | 27 +++------------------------ 1 file changed, 3 insertions(+), 24 deletions(-) diff --git a/pg-sessions.lisp b/pg-sessions.lisp index 19250b7..40cd335 100644 --- a/pg-sessions.lisp +++ b/pg-sessions.lisp @@ -37,10 +37,6 @@ :documentation "The session string encodes enough data to safely retrieve this session. It is sent to the browser as a cookie value or as a GET parameter.") - (user-agent :initarg :user-agent - :accessor pg-session-user-agent) - (remote-addr :initarg :remote-addr - :accessor pg-session-remote-addr) (session-start :col-type bigint :initform (get-universal-time) :accessor pg-session-start) (last-click :col-type bigint :initform (get-universal-time) :accessor pg-session-last-click :documentation "The last time this session was used.") @@ -62,9 +58,7 @@ stored in the postmodern database.")) (loop for code across (md5:md5sum-string string) do (format s "~2,'0x" code)))) -(defun encode-session-string (id user-agent remote-addr start) - "Creates a uniquely encoded session string based on the values ID, -USER-AGENT, and START" +(defun encode-session-string (id start) ;; *PG-SESSION-SECRET* is used twice due to known theoretical ;; vulnerabilities of MD5 encoding (md5-hex (concatenate 'string @@ -72,18 +66,12 @@ USER-AGENT, and START" (md5-hex (format nil "~A~A~@[~A~]~@[~A~]~A" *pg-session-secret* id - (and hunchentoot:*use-user-agent-for-sessions* - user-agent) - (and hunchentoot:*use-remote-addr-for-sessions* - remote-addr) start))))) (defun stringify-session (session) "Creates a string representing of the SESSION object SESSION. See ENCODE-SESSION-STRING." (encode-session-string (pg-session-id session) - (pg-session-user-agent session) - (pg-session-remote-addr session) (pg-session-start session))) (defun session-too-old-p (session) @@ -122,9 +110,7 @@ case the function will also send a session cookie to the browser." (return-from pg-start-session session)) (setf session (apply #'make-dao - (append `(,*session-type* - :user-agent ,(hunchentoot:user-agent hunchentoot:*request*) - :remote-addr ,(hunchentoot:real-remote-addr hunchentoot:*request*)) + (append `(,*session-type*) args))) (setf (hunchentoot:session hunchentoot:*request*) session) (setf (pg-session-string session) (stringify-session session)) @@ -145,9 +131,6 @@ will not create a new one." (hunchentoot:log-message* :info "Session with ID ~A too old" id)) (pg-remove-session session) (setq session nil)) - (when session - (setf (pg-session-user-agent session) (hunchentoot:user-agent request) - (pg-session-remote-addr session) (hunchentoot:real-remote-addr request))) session)) (defmethod hunchentoot:session-verify ((request hunchentoot:request)) @@ -168,17 +151,13 @@ will not create a new one." (destructuring-bind (id-string session-string) (cl-ppcre:split ":" session-identifier :limit 2) (let* ((id (parse-integer id-string)) - (session (get-stored-session id request)) - (user-agent (hunchentoot:user-agent request)) - (remote-addr (hunchentoot:remote-addr request))) + (session (get-stored-session id request))) (cond ((and session (string= session-string (pg-session-string session)) (string= session-string (encode-session-string id - user-agent - (hunchentoot:real-remote-addr request) (pg-session-start session)))) ;; the session key presented by the client is valid (setf (pg-session-last-click session) (get-universal-time)) From 982aaeb312b75a8f0604c199c8e09df1eb950afb Mon Sep 17 00:00:00 2001 From: Thomas Date: Thu, 10 Jul 2014 08:50:48 -0700 Subject: [PATCH 3/3] Set package meta-info. --- pg-sessions.asd | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pg-sessions.asd b/pg-sessions.asd index de32f87..4362160 100644 --- a/pg-sessions.asd +++ b/pg-sessions.asd @@ -1,8 +1,8 @@ (asdf:defsystem #:pg-sessions :serial t - :description "Describe hunchentoot-postmodern-sessions here" - :author "Your Name " - :license "Specify license here" + :description "Store hunchentoot sessions in a postgres database." + :author "Thomas Hintz" + :license "3-clause BSD." :depends-on (#:postmodern #:anaphora #:alexandria