Code Monkey home page Code Monkey logo

plack-middleware-signedcookies's Introduction

NAME

Plack::Middleware::SignedCookies - accept only server-minted cookies

SYNOPSIS

# in app.psgi
use Plack::Builder;

builder {
    enable 'SignedCookies', secret => 's333333333kr1t!!!!1!!';
    $app;
};

DESCRIPTION

This middleware modifies Cookie headers in the request and Set-Cookie headers in the response. It appends a HMAC digest to outgoing cookies and removes and verifies it from incoming cookies. It rejects incoming cookies that were sent without a valid digest.

The incoming Cookie header value remains available in the signedcookies.orig key in the PSGI environment.

CONFIGURATION OPTIONS

secret

The secret to pass to the Digest::SHA HMAC function.

If not provided, a random secret will be generated using Perl’s built-in rand function.

secure

Whether to force the secure flag to be set on all cookies, which instructs the browser to only send them when using an encrypted connection.

Defaults to false. You should strongly consider overriding this default with a true value.

httponly

Whether to force the HttpOnly flag to be set on all cookies, which instructs the browser to not make them available to Javascript on the page.

Defaults to true. Provide a defined false value if you wish to override this.

A NOTE ON EXPIRATION

Several other modules that offer similar functionality will also handle server-side cookie expiration. This is obviously useful for centralising all cookie policy in one place.

However, expiration is quite likely to be a concern at the application level, if only just to tell a user that they timed out rather than just suddenly forgetting them. Communicating server-side expiration from the middleware to the application requires a protocol. No standard protocol exists for this purpose, so it would have to be specific to this middleware.

But middlewares are most useful when they can be added or removed without modifying the application. (Frameworks, in contrast, require tight coupling of the application by definition, thus making it a reasonable choice to include cookie expiration plus interface in a framework.) Therefore, it was an explicit design choice for this middleware to omit expiration handling.

SEE ALSO

plack-middleware-signedcookies's People

Contributors

ap avatar

Watchers

avatar avatar avatar

plack-middleware-signedcookies's Issues

t/signedcookies.t fails (with newer HTTP::Cookies?)

The test suite started to fail on my smokers:

#   Failed test 'Own cookies are recognized'
#   at t/signedcookies.t line 51.
#          got: 'c0=;ch=dolor sit\;cs=amet, consectetur;cx='adipiscing elit''
#     expected: 'c0=;cb=lorem "ipsum";ch=dolor sit\;cs=amet, consectetur;cx='adipiscing elit''

#   Failed test 'Tampered cookies are rejected'
#   at t/signedcookies.t line 54.
#          got: 'c0=;ch=dolor sit\;cs=amet, consectetur'
#     expected: 'c0=;cb=lorem "ipsum";ch=dolor sit\;cs=amet, consectetur'
# Looks like you failed 2 tests of 17.
t/signedcookies.t .. 
Dubious, test returned 2 (wstat 512, 0x200)
Failed 2/17 subtests

Statistical analysis suggests that this happens since HTTP::Cookies 6.05 (@oalders: FYI):

****************************************************************
Regression 'mod:HTTP::Cookies'
****************************************************************
Name           	       Theta	      StdErr	 T-stat
[0='const']    	      1.0000	      0.0000	10765784633744040.00
[1='eq_6.03']  	      0.0000	      0.0000	   2.63
[2='eq_6.04']  	      0.0000	      0.0000	   4.66
[3='eq_6.05']  	     -1.0000	      0.0000	-5382892316872020.00
[4='eq_6.07']  	     -1.0000	      0.0000	-6808880048294560.00
[5='eq_6.08']  	     -1.0000	      0.0000	-9323442984494490.00

R^2= 1.000, N= 150, K= 6
****************************************************************

Cookie containing JSON does not appear to get a valid signature

First off, thanks for your work on this. :)

I had some issues with this module yesterday. I'm having trouble distilling this down to a simple test case to demonstrate hear, so I figure I'll just open an issue to see if it's even worth looking into.

I've got a Mojo app that uses Plack::Middleware::SignedCookies. I was setting a cookie from Mojo. It was going out fine, but Plack::Middleware::SignedCookies was preventing this same cookie from appearing in subsequent requests to the Mojo app. Once I switched the content of the cookie from JSON to key/value pairs foo=bar&baz=quz I no longer had any issues with the module.

Here's a sample of what I was seeing. The first cookie (mm_session) was making it back in the request, but the second (ppa) was not:

Response Cookie:

.-----------+-------------------------------------------------------------------------------------.
| Key       | Value                                                                               |
+-----------+-------------------------------------------------------------------------------------+
| key       | mm_session                                                                          |
| val       | 7e8257d6a7a0b526f3ebef79e9085727bfccf10b07lHYRF5l4wAIKpKIax~JN3lOHpxAhwZBBhRaEYyeD8 |
| path      | /                                                                                   |
| domain    | localhost.local                                                                     |
| path_spec | 1                                                                                   |
| expires   | 2017-08-03T19:43:55                                                                 |
'-----------+-------------------------------------------------------------------------------------'

Response Cookie:

.-----------+--------------------------------------------------------------------------------------------------------------.
| Key       | Value                                                                                                        |
+-----------+--------------------------------------------------------------------------------------------------------------+
| key       | ppa                                                                                                          |
| val       | "{\"RESPMSG\":\"Secure token already used.\",\"RESULT\":\"160\"}"Nv1AqiKbuSiODwJcWQmGmV9wHOGrOEChzb9YcUsrRLw |
| path      | /                                                                                                            |
| domain    | localhost.local                                                                                              |
| path_spec | 1                                                                                                            |
| expires   | 2017-07-27T19:48:55                                                                                          |
'-----------+--------------------------------------------------------------------------------------------------------------'

The one thing that strikes me is the missing ~ in the ppa cookie. Once I changed the format of the cookie content, the ~ was there. eg RESPMSG=Secure+token+already+used.&RESULT=160ltD~1yIlu3e7YVMk1vS0JLbHqDSaaOWDDXBLwQPhxWU

I was using Mojo's cookie() method rather than signed_cookie().

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.