[Seaside] newSessionOn: (was Meaningful URLs)

Kamil Kukura kamk@volny.cz
Thu, 18 Apr 2002 18:01:21 +0200 

This is a multi-part message in MIME format.
--------------050807040105000000010507
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

>
>
>>The question is if session key should be as short as that. Someone
>>getting session 99 can easy imagine there may be already session 100 and
>>trying to get there by changing URL or cookie.
>>
>Very true.  It shouldn't, I'm just lazy.  It may want to be some hash of
>the client IP, date, etc, so that you can prevent such attacks if
>necessary.  Patches are accepted, otherwise I'll fix it by the next
>release.
>
Attached is #newSessionOn: which generates 80-bit number encoded in 
base64. It uses IARequest>>headerAt: for looking up the host name and I 
am not sure how is it with requests from IAModLisp.

-- 
Kamil


--------------050807040105000000010507
Content-Type: text/plain;
 name="IAApplication-newSessionOn.st"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="IAApplication-newSessionOn.st"

'From Squeak3.0 of 4 February 2001 [latest update: #3552] on 18 April 2002 at 5:58:53 pm'!

!IAApplication methodsFor: 'session handling' stamp: 'KamK 4/18/2002 17:56'!
newSessionOn: request
	| bytesOf newSession seeds counter sessionKey |

	bytesOf _ [:int |
		| length ba |
		length _ int digitLength.
		ba _ ByteArray new: length.
		1 to: length do: [:i | ba at: i put: (int digitAt: i)].
		ba].

	newSession _ sessionClass new application: self.
	seeds _
		(request headerAt: 'host'),
		(bytesOf value: newSession hash),
		(bytesOf value: Time millisecondClockValue).

	counter _ 16rFFFFFFFFFFFFFFFF atRandom.
	[
		| hash foldedHash |
		counter _ counter + 1.
		hash _ SecureHashAlgorithm new hashMessage: seeds, (bytesOf value: counter).

		foldedHash _ RWBinaryOrTextStream on: (ByteArray new: 10).
		1 to: 10 do: [:i |
			foldedHash nextPut: ((hash digitAt: i) bitXor: (hash digitAt: i+10))].

		sessionKey _ ((Base64MimeConverter mimeEncode: foldedHash)
			"avoid unacceptable (/) up to padding (=)"
			contents copyUpTo: $=) replaceAll: $/ with: $-.

		(sessions at: sessionKey) notNil
	] whileTrue.

	sessions at: sessionKey put: newSession.
	^ sessionKey

! !

--------------050807040105000000010507--