|
|
|
@ -37,10 +37,6 @@
|
|
|
|
:documentation "The session string encodes enough
|
|
|
|
:documentation "The session string encodes enough
|
|
|
|
data to safely retrieve this session. It is sent to the browser as a
|
|
|
|
data to safely retrieve this session. It is sent to the browser as a
|
|
|
|
cookie value or as a GET parameter.")
|
|
|
|
cookie value or as a GET parameter.")
|
|
|
|
(user-agent :initarg :user-agent
|
|
|
|
|
|
|
|
:accessor pg-session-user-agent)
|
|
|
|
|
|
|
|
(remote-addr :initarg :remote-addr
|
|
|
|
|
|
|
|
:accessor pg-session-remote-addr)
|
|
|
|
|
|
|
|
(session-start :col-type bigint :initform (get-universal-time) :accessor pg-session-start)
|
|
|
|
(session-start :col-type bigint :initform (get-universal-time) :accessor pg-session-start)
|
|
|
|
(last-click :col-type bigint :initform (get-universal-time) :accessor pg-session-last-click
|
|
|
|
(last-click :col-type bigint :initform (get-universal-time) :accessor pg-session-last-click
|
|
|
|
:documentation "The last time this session was used.")
|
|
|
|
:documentation "The last time this session was used.")
|
|
|
|
@ -62,9 +58,7 @@ stored in the postmodern database."))
|
|
|
|
(loop for code across (md5:md5sum-string string)
|
|
|
|
(loop for code across (md5:md5sum-string string)
|
|
|
|
do (format s "~2,'0x" code))))
|
|
|
|
do (format s "~2,'0x" code))))
|
|
|
|
|
|
|
|
|
|
|
|
(defun encode-session-string (id user-agent remote-addr start)
|
|
|
|
(defun encode-session-string (id start)
|
|
|
|
"Creates a uniquely encoded session string based on the values ID,
|
|
|
|
|
|
|
|
USER-AGENT, and START"
|
|
|
|
|
|
|
|
;; *PG-SESSION-SECRET* is used twice due to known theoretical
|
|
|
|
;; *PG-SESSION-SECRET* is used twice due to known theoretical
|
|
|
|
;; vulnerabilities of MD5 encoding
|
|
|
|
;; vulnerabilities of MD5 encoding
|
|
|
|
(md5-hex (concatenate 'string
|
|
|
|
(md5-hex (concatenate 'string
|
|
|
|
@ -72,18 +66,12 @@ USER-AGENT, and START"
|
|
|
|
(md5-hex (format nil "~A~A~@[~A~]~@[~A~]~A"
|
|
|
|
(md5-hex (format nil "~A~A~@[~A~]~@[~A~]~A"
|
|
|
|
*pg-session-secret*
|
|
|
|
*pg-session-secret*
|
|
|
|
id
|
|
|
|
id
|
|
|
|
(and hunchentoot:*use-user-agent-for-sessions*
|
|
|
|
|
|
|
|
user-agent)
|
|
|
|
|
|
|
|
(and hunchentoot:*use-remote-addr-for-sessions*
|
|
|
|
|
|
|
|
remote-addr)
|
|
|
|
|
|
|
|
start)))))
|
|
|
|
start)))))
|
|
|
|
|
|
|
|
|
|
|
|
(defun stringify-session (session)
|
|
|
|
(defun stringify-session (session)
|
|
|
|
"Creates a string representing of the SESSION object SESSION. See
|
|
|
|
"Creates a string representing of the SESSION object SESSION. See
|
|
|
|
ENCODE-SESSION-STRING."
|
|
|
|
ENCODE-SESSION-STRING."
|
|
|
|
(encode-session-string (pg-session-id session)
|
|
|
|
(encode-session-string (pg-session-id session)
|
|
|
|
(pg-session-user-agent session)
|
|
|
|
|
|
|
|
(pg-session-remote-addr session)
|
|
|
|
|
|
|
|
(pg-session-start session)))
|
|
|
|
(pg-session-start session)))
|
|
|
|
|
|
|
|
|
|
|
|
(defun session-too-old-p (session)
|
|
|
|
(defun session-too-old-p (session)
|
|
|
|
@ -122,9 +110,7 @@ case the function will also send a session cookie to the browser."
|
|
|
|
(return-from pg-start-session session))
|
|
|
|
(return-from pg-start-session session))
|
|
|
|
(setf session
|
|
|
|
(setf session
|
|
|
|
(apply #'make-dao
|
|
|
|
(apply #'make-dao
|
|
|
|
(append `(,*session-type*
|
|
|
|
(append `(,*session-type*)
|
|
|
|
:user-agent ,(hunchentoot:user-agent hunchentoot:*request*)
|
|
|
|
|
|
|
|
:remote-addr ,(hunchentoot:real-remote-addr hunchentoot:*request*))
|
|
|
|
|
|
|
|
args)))
|
|
|
|
args)))
|
|
|
|
(setf (hunchentoot:session hunchentoot:*request*) session)
|
|
|
|
(setf (hunchentoot:session hunchentoot:*request*) session)
|
|
|
|
(setf (pg-session-string session) (stringify-session session))
|
|
|
|
(setf (pg-session-string session) (stringify-session session))
|
|
|
|
@ -145,9 +131,6 @@ will not create a new one."
|
|
|
|
(hunchentoot:log-message* :info "Session with ID ~A too old" id))
|
|
|
|
(hunchentoot:log-message* :info "Session with ID ~A too old" id))
|
|
|
|
(pg-remove-session session)
|
|
|
|
(pg-remove-session session)
|
|
|
|
(setq session nil))
|
|
|
|
(setq session nil))
|
|
|
|
(when session
|
|
|
|
|
|
|
|
(setf (pg-session-user-agent session) (hunchentoot:user-agent request)
|
|
|
|
|
|
|
|
(pg-session-remote-addr session) (hunchentoot:real-remote-addr request)))
|
|
|
|
|
|
|
|
session))
|
|
|
|
session))
|
|
|
|
|
|
|
|
|
|
|
|
(defmethod hunchentoot:session-verify ((request hunchentoot:request))
|
|
|
|
(defmethod hunchentoot:session-verify ((request hunchentoot:request))
|
|
|
|
@ -168,17 +151,13 @@ will not create a new one."
|
|
|
|
(destructuring-bind (id-string session-string)
|
|
|
|
(destructuring-bind (id-string session-string)
|
|
|
|
(cl-ppcre:split ":" session-identifier :limit 2)
|
|
|
|
(cl-ppcre:split ":" session-identifier :limit 2)
|
|
|
|
(let* ((id (parse-integer id-string))
|
|
|
|
(let* ((id (parse-integer id-string))
|
|
|
|
(session (get-stored-session id request))
|
|
|
|
(session (get-stored-session id request)))
|
|
|
|
(user-agent (hunchentoot:user-agent request))
|
|
|
|
|
|
|
|
(remote-addr (hunchentoot:remote-addr request)))
|
|
|
|
|
|
|
|
(cond
|
|
|
|
(cond
|
|
|
|
((and session
|
|
|
|
((and session
|
|
|
|
(string= session-string
|
|
|
|
(string= session-string
|
|
|
|
(pg-session-string session))
|
|
|
|
(pg-session-string session))
|
|
|
|
(string= session-string
|
|
|
|
(string= session-string
|
|
|
|
(encode-session-string id
|
|
|
|
(encode-session-string id
|
|
|
|
user-agent
|
|
|
|
|
|
|
|
(hunchentoot:real-remote-addr request)
|
|
|
|
|
|
|
|
(pg-session-start session))))
|
|
|
|
(pg-session-start session))))
|
|
|
|
;; the session key presented by the client is valid
|
|
|
|
;; the session key presented by the client is valid
|
|
|
|
(setf (pg-session-last-click session) (get-universal-time))
|
|
|
|
(setf (pg-session-last-click session) (get-universal-time))
|
|
|
|
|
Thomas
11 years ago