1 | package Mojolicious::Sessions;
|
---|
2 | use Mojo::Base -base;
|
---|
3 |
|
---|
4 | use Mojo::JSON;
|
---|
5 | use Mojo::Util qw(b64_decode b64_encode);
|
---|
6 |
|
---|
7 | has [qw(cookie_domain secure)];
|
---|
8 | has cookie_name => 'mojolicious';
|
---|
9 | has cookie_path => '/';
|
---|
10 | has default_expiration => 3600;
|
---|
11 | has deserialize => sub { \&Mojo::JSON::j };
|
---|
12 | has serialize => sub { \&Mojo::JSON::encode_json };
|
---|
13 |
|
---|
14 | sub load {
|
---|
15 | my ($self, $c) = @_;
|
---|
16 |
|
---|
17 | return unless my $value = $c->signed_cookie($self->cookie_name);
|
---|
18 | $value =~ y/-/=/;
|
---|
19 | return unless my $session = $self->deserialize->(b64_decode $value);
|
---|
20 |
|
---|
21 | # "expiration" value is inherited
|
---|
22 | my $expiration = $session->{expiration} // $self->default_expiration;
|
---|
23 | return if !(my $expires = delete $session->{expires}) && $expiration;
|
---|
24 | return if defined $expires && $expires <= time;
|
---|
25 |
|
---|
26 | my $stash = $c->stash;
|
---|
27 | return unless $stash->{'mojo.active_session'} = keys %$session;
|
---|
28 | $stash->{'mojo.session'} = $session;
|
---|
29 | $session->{flash} = delete $session->{new_flash} if $session->{new_flash};
|
---|
30 | }
|
---|
31 |
|
---|
32 | sub store {
|
---|
33 | my ($self, $c) = @_;
|
---|
34 |
|
---|
35 | # Make sure session was active
|
---|
36 | my $stash = $c->stash;
|
---|
37 | return unless my $session = $stash->{'mojo.session'};
|
---|
38 | return unless keys %$session || $stash->{'mojo.active_session'};
|
---|
39 |
|
---|
40 | # Don't reset flash for static files
|
---|
41 | my $old = delete $session->{flash};
|
---|
42 | $session->{new_flash} = $old if $stash->{'mojo.static'};
|
---|
43 | delete $session->{new_flash} unless keys %{$session->{new_flash}};
|
---|
44 |
|
---|
45 | # Generate "expires" value from "expiration" if necessary
|
---|
46 | my $expiration = $session->{expiration} // $self->default_expiration;
|
---|
47 | my $default = delete $session->{expires};
|
---|
48 | $session->{expires} = $default || time + $expiration
|
---|
49 | if $expiration || $default;
|
---|
50 |
|
---|
51 | my $value = b64_encode $self->serialize->($session), '';
|
---|
52 | $value =~ y/=/-/;
|
---|
53 | my $options = {
|
---|
54 | domain => $self->cookie_domain,
|
---|
55 | expires => $session->{expires},
|
---|
56 | httponly => 1,
|
---|
57 | path => $self->cookie_path,
|
---|
58 | secure => $self->secure
|
---|
59 | };
|
---|
60 | $c->signed_cookie($self->cookie_name, $value, $options);
|
---|
61 | }
|
---|
62 |
|
---|
63 | 1;
|
---|
64 |
|
---|
65 | =encoding utf8
|
---|
66 |
|
---|
67 | =head1 NAME
|
---|
68 |
|
---|
69 | Mojolicious::Sessions - Session manager based on signed cookies
|
---|
70 |
|
---|
71 | =head1 SYNOPSIS
|
---|
72 |
|
---|
73 | use Mojolicious::Sessions;
|
---|
74 |
|
---|
75 | my $sessions = Mojolicious::Sessions->new;
|
---|
76 | $sessions->cookie_name('myapp');
|
---|
77 | $sessions->default_expiration(86400);
|
---|
78 |
|
---|
79 | =head1 DESCRIPTION
|
---|
80 |
|
---|
81 | L<Mojolicious::Sessions> manages sessions based on signed cookies for
|
---|
82 | L<Mojolicious>. All data gets serialized with L<Mojo::JSON> and stored Base64
|
---|
83 | encoded on the client-side, but is protected from unwanted changes with a
|
---|
84 | HMAC-SHA1 signature.
|
---|
85 |
|
---|
86 | =head1 ATTRIBUTES
|
---|
87 |
|
---|
88 | L<Mojolicious::Sessions> implements the following attributes.
|
---|
89 |
|
---|
90 | =head2 cookie_domain
|
---|
91 |
|
---|
92 | my $domain = $sessions->cookie_domain;
|
---|
93 | $sessions = $sessions->cookie_domain('.example.com');
|
---|
94 |
|
---|
95 | Domain for session cookies, not defined by default.
|
---|
96 |
|
---|
97 | =head2 cookie_name
|
---|
98 |
|
---|
99 | my $name = $sessions->cookie_name;
|
---|
100 | $sessions = $sessions->cookie_name('session');
|
---|
101 |
|
---|
102 | Name for session cookies, defaults to C<mojolicious>.
|
---|
103 |
|
---|
104 | =head2 cookie_path
|
---|
105 |
|
---|
106 | my $path = $sessions->cookie_path;
|
---|
107 | $sessions = $sessions->cookie_path('/foo');
|
---|
108 |
|
---|
109 | Path for session cookies, defaults to C</>.
|
---|
110 |
|
---|
111 | =head2 default_expiration
|
---|
112 |
|
---|
113 | my $time = $sessions->default_expiration;
|
---|
114 | $sessions = $sessions->default_expiration(3600);
|
---|
115 |
|
---|
116 | Default time for sessions to expire in seconds from now, defaults to C<3600>.
|
---|
117 | The expiration timeout gets refreshed for every request. Setting the value to
|
---|
118 | C<0> will allow sessions to persist until the browser window is closed, this
|
---|
119 | can have security implications though. For more control you can also use the
|
---|
120 | C<expiration> and C<expires> session values.
|
---|
121 |
|
---|
122 | # Expiration date in seconds from now (persists between requests)
|
---|
123 | $c->session(expiration => 604800);
|
---|
124 |
|
---|
125 | # Expiration date as absolute epoch time (only valid for one request)
|
---|
126 | $c->session(expires => time + 604800);
|
---|
127 |
|
---|
128 | # Delete whole session by setting an expiration date in the past
|
---|
129 | $c->session(expires => 1);
|
---|
130 |
|
---|
131 | =head2 deserialize
|
---|
132 |
|
---|
133 | my $cb = $sessions->deserialize;
|
---|
134 | $sessions = $sessions->deserialize(sub {...});
|
---|
135 |
|
---|
136 | A callback used to deserialize sessions, defaults to L<Mojo::JSON/"j">.
|
---|
137 |
|
---|
138 | $sessions->deserialize(sub {
|
---|
139 | my $bytes = shift;
|
---|
140 | return {};
|
---|
141 | });
|
---|
142 |
|
---|
143 | =head2 secure
|
---|
144 |
|
---|
145 | my $bool = $sessions->secure;
|
---|
146 | $sessions = $sessions->secure($bool);
|
---|
147 |
|
---|
148 | Set the secure flag on all session cookies, so that browsers send them only
|
---|
149 | over HTTPS connections.
|
---|
150 |
|
---|
151 | =head2 serialize
|
---|
152 |
|
---|
153 | my $cb = $sessions->serialize;
|
---|
154 | $sessions = $sessions->serialize(sub {...});
|
---|
155 |
|
---|
156 | A callback used to serialize sessions, defaults to L<Mojo::JSON/"encode_json">.
|
---|
157 |
|
---|
158 | $sessions->serialize(sub {
|
---|
159 | my $hash = shift;
|
---|
160 | return '';
|
---|
161 | });
|
---|
162 |
|
---|
163 | =head1 METHODS
|
---|
164 |
|
---|
165 | L<Mojolicious::Sessions> inherits all methods from L<Mojo::Base> and implements
|
---|
166 | the following new ones.
|
---|
167 |
|
---|
168 | =head2 load
|
---|
169 |
|
---|
170 | $sessions->load(Mojolicious::Controller->new);
|
---|
171 |
|
---|
172 | Load session data from signed cookie.
|
---|
173 |
|
---|
174 | =head2 store
|
---|
175 |
|
---|
176 | $sessions->store(Mojolicious::Controller->new);
|
---|
177 |
|
---|
178 | Store session data in signed cookie.
|
---|
179 |
|
---|
180 | =head1 SEE ALSO
|
---|
181 |
|
---|
182 | L<Mojolicious>, L<Mojolicious::Guides>, L<https://mojolicious.org>.
|
---|
183 |
|
---|
184 | =cut
|
---|