Session middleware for Iron
License: MIT License
iron/ironThis project has been moved to the iron/iron monorepo. You can find the latest version of sessionstorage at https://github.com/iron/iron/tree/master/sessionstorage.
All pull requests and issues should be created there instead.
I can't use iron-sessionstorage because it uses cookie v0.4.x and hyper uses v0.3.x. This leads to the following error:
native library 'openssl' is being linked to by more than one version of the same package, but it can only be linked once; try pdating or pinning your dependencies to ensure that this package only shows up once
"http_only" so it's not available to javascript (sorry I just saw 51711cf) and
"secure" so it's https only.
I can't wait to have at least 0.7.3 to use the new "same domain" attribute. See
rwf2/cookie-rs#80
beacuse of iron update to 0.6, we need a new version
Is there an idiomatic way to do this? The only way I can discern is to basically have a "this has been unset" sentinel value, like an empty string.
Even though a value of iron_session_id in cookie is empty, SessionStorage doesn't generate new session id.
Browser sends a cookie if value is not set. In this situation, SessionStorage generates a new session id and send a header Set-Cookie: .... But SessionStorage uses an empty session id as valid, and then store some values in associating with an empty key. It is buggy I think.
Additionally, if a value of iron_session_id isn't empty, Calling set method (ex. req.session.set(T)) in web application, store some values in associating with the value of iron_session_id. It may be correct. But there is a vulnerable to attack "session fixation" potentially, so it is fear to use this library for user authorization.
FYI, this is document about Session fixation: https://www.owasp.org/index.php/Session_fixation
A better solution I think is that SessionStorage also provides a method to use session id that be specified by Web application.
Thanks for the awesome library.
iron-sessionstorage = {version="0.6.6", features=["redis-backend"]}
With SignedCookieBackend, session().clear() doesn't clear cookies if it is called on a route that isn't at the server root (e.g. /path/logout). This problem doesn't happen if Path=/ is added to the Set-Cookie header. I've confirmed this with both Firefox 45 and Chrome 57. I haven't tested this with the RedisBackend.
A minimal demonstration and a workaround can be found in this gist.
The dependencies that I used are
Edit: Looks like the issue is caused by this line. It seems like since Path is set when the cookie is created, cookie.clear does not remove the cookie.
On Mac OSX, not sure if this is because the dependencies are using an old SSL lib but:
Finished debug [unoptimized + debuginfo] target(s) in 29.83 secs
Running `target/debug/ticket`
thread '<unnamed>' panicked at 'assertion failed: `(left == right)` (left: `1785120033`, right: `1`)', /Users/daniel/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-0.7.14/src/crypto/hmac.rs:100
stack backtrace:
1: 0x10cf20669 - std::sys::backtrace::tracing::imp::write::hd4b54a4a2078cb15
2: 0x10cf24c20 - std::panicking::default_hook::_{{closure}}::h51a5ee7ba6a9fcef
3: 0x10cf23a80 - std::panicking::default_hook::hf823fce261e27590
4: 0x10cf24106 - std::panicking::rust_panic_with_hook::h8d486474663979b9
5: 0x10cf23f54 - std::panicking::begin_panic::h72862f004a4942ab
6: 0x10cf23eb2 - std::panicking::begin_panic_fmt::hdc424a357d9142e1
7: 0x10cd9a960 - openssl::crypto::hmac::HMAC::init_once::h6c1be8043153e464
8: 0x10cd9a69c - openssl::crypto::hmac::HMAC::new::hc835af5cd678b49a
9: 0x10cd926a4 - cookie::jar::secure::dosign::hb9c6a6427a227e73
10: 0x10cd919b1 - cookie::jar::secure::sign::h6d41fdbca5f3d9ff
11: 0x10cd907c2 - cookie::jar::CookieJar::signed::sign::h6e86c9b08ad35b93
12: 0x10cd8fcf4 - cookie::jar::CookieJar::add::hf732eb62d98c7a01
13: 0x10cbf265a - _<iron_sessionstorage..backends..signedcookie..SignedCookieSession as iron_sessionstorage..RawSession>::set_raw::h377fa7566ecf5606
14: 0x10ca21ab0 - iron_sessionstorage::Session::set::hfbbae9f72769fe5f
15: 0x10cae5f83 - ticket::auth_google_verify::hf10dc07bc849e1af
16: 0x10cae9246 - fn(&mut iron..Request<'_, '_>) .> std..result..Result<iron..Response, iron..IronError> {auth_google_verify}::fn_pointer_shim.22161::h2fbd3bd41ef18a57
17: 0x10ca50b5e - _<F as iron..middleware..Handler>::handle::h22de48e6374c9fd7
18: 0x10ccf6600 - _<Box<iron..middleware..Handler $u2b$$u20$$u27$static$GT$$u20$as$u20$iron..middleware..Handler$GT$::handle::h9798f358c6a68919
19: 0x10cb98100 - router::router::Router::handle_method::hcec774fe387922af
20: 0x10cb98334 - _<router..router..Router as iron..middleware..Handler>::handle::h631927660298d45e
21: 0x10ccf6600 - _<Box<iron..middleware..Handler $u2b$$u20$$u27$static$GT$$u20$as$u20$iron..middleware..Handler$GT$::handle::h9798f358c6a68919
22: 0x10cae9485 - _<iron_sessionstorage..SessionStorage<B> as iron..middleware..AroundMiddleware>::around::_{{closure}}::h48a5d560fb0d1dd0
23: 0x10ca50bfe - _<F as iron..middleware..Handler>::handle::he5cf3412d5b3c16a
24: 0x10ccf6600 - _<Box<iron..middleware..Handler $u2b$$u20$$u27$static$GT$$u20$as$u20$iron..middleware..Handler$GT$::handle::h9798f358c6a68919
25: 0x10ccf5c70 - iron::middleware::Chain::continue_from_handler::h9a3b67264521425a
26: 0x10ccf5975 - iron::middleware::Chain::continue_from_before::h0ccca51f2240fc2f
27: 0x10ccf4a7f - _<iron..middleware..Chain as iron..middleware..Handler>::handle::h236ac843e60a5fc5
28: 0x10caa98cb - _<iron..iron..Iron<H> as hyper..server..Handler>::handle::h0c5f2bf1ba204163
29: 0x10ca38506 - _<hyper..server..Worker<H>>::keep_alive_loop::h8a16c4fa81ded41f
30: 0x10ca39408 - _<hyper..server..Worker<H>>::handle_connection::h34b174a6aea1eadd
31: 0x10caea7c0 - hyper::server::handle::_{{closure}}::h63bb24528f23d471
32: 0x10caeab08 - hyper::server::listener::spawn_with::_{{closure}}::hb64d74741f502ed4
33: 0x10cad537a - _<std..panic..AssertUnwindSafe<F> as core..ops..FnOnce<()>>::call_once::h79495476b6d1c2d2
34: 0x10ca48883 - std::panicking::try::do_call::hbd682eedc72d0acc
35: 0x10cf2520a - __rust_maybe_catch_panic
36: 0x10ca47f32 - std::panicking::try::h19e667580c75b9a6
37: 0x10ca4639e - std::panic::catch_unwind::h1214a37da70578d6
38: 0x10cae8faa - std::thread::Builder::spawn::_{{closure}}::h54075ed2441175d7
39: 0x10ca772c3 - _<F as alloc..boxed..FnBox<A>>::call_box::h53ee1e2ed43ecc46
40: 0x10cf23265 - std::sys::thread::Thread::new::thread_start::h57f688c224d4fa4d
41: 0x7fff9133b99c - _pthread_body
42: 0x7fff9133b919 - _pthread_start
Hi. I'm trying to access the session in a BeforeMiddleware, in order to check if the request is authenticated. This is my middleware:
struct SessionMiddleware<C: Connection> {
connection: Arc<C>
}
impl typemap::Key for User {
type Value = User;
}
impl<C: Connection + 'static> BeforeMiddleware for SessionMiddleware<C> {
fn before(&self, req: &mut Request) -> IronResult<()> {
use ::entities::Session;
use iron_sessionstorage::{SessionRequestExt,Value};
if let Some(session) = try!(req.session().get::<Session>()) {
let sess: String = session.into_raw();
let connection = self.connection.clone();
let valid_seconds = ::CONFIG.read().unwrap().get_int("sessions.duration");
if let Ok(Some(user)) = connection.verify_session(&sess, valid_seconds) {
req.extensions.insert::<User>(user);
}
}
Ok(())
}
}
This is causing a panic here: https://github.com/iron/iron-sessionstorage/blob/master/src/lib.rs#L131
Is there any way to do what I'm attempting to do, or will I have to move this to the Handlers? I'd rather not put it in the Handlers, since I want to do this for every request, which seems to be pretty much the entire point of BeforeMiddlewares. I suspect that the fact that sessionstorage is an AroundMiddleware makes it impossible to access Sessions in a BeforeMiddleware?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.