[Seaside] newSessionOn: (was Meaningful URLs)
Kamil Kukura
kamk@volny.cz
Thu, 18 Apr 2002 18:01:21 +0200
This is a multi-part message in MIME format.
--------------050807040105000000010507
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
>
>
>>The question is if session key should be as short as that. Someone
>>getting session 99 can easy imagine there may be already session 100 and
>>trying to get there by changing URL or cookie.
>>
>Very true. It shouldn't, I'm just lazy. It may want to be some hash of
>the client IP, date, etc, so that you can prevent such attacks if
>necessary. Patches are accepted, otherwise I'll fix it by the next
>release.
>
Attached is #newSessionOn: which generates 80-bit number encoded in
base64. It uses IARequest>>headerAt: for looking up the host name and I
am not sure how is it with requests from IAModLisp.
--
Kamil
--------------050807040105000000010507
Content-Type: text/plain;
name="IAApplication-newSessionOn.st"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="IAApplication-newSessionOn.st"
'From Squeak3.0 of 4 February 2001 [latest update: #3552] on 18 April 2002 at 5:58:53 pm'!
!IAApplication methodsFor: 'session handling' stamp: 'KamK 4/18/2002 17:56'!
newSessionOn: request
| bytesOf newSession seeds counter sessionKey |
bytesOf _ [:int |
| length ba |
length _ int digitLength.
ba _ ByteArray new: length.
1 to: length do: [:i | ba at: i put: (int digitAt: i)].
ba].
newSession _ sessionClass new application: self.
seeds _
(request headerAt: 'host'),
(bytesOf value: newSession hash),
(bytesOf value: Time millisecondClockValue).
counter _ 16rFFFFFFFFFFFFFFFF atRandom.
[
| hash foldedHash |
counter _ counter + 1.
hash _ SecureHashAlgorithm new hashMessage: seeds, (bytesOf value: counter).
foldedHash _ RWBinaryOrTextStream on: (ByteArray new: 10).
1 to: 10 do: [:i |
foldedHash nextPut: ((hash digitAt: i) bitXor: (hash digitAt: i+10))].
sessionKey _ ((Base64MimeConverter mimeEncode: foldedHash)
"avoid unacceptable (/) up to padding (=)"
contents copyUpTo: $=) replaceAll: $/ with: $-.
(sessions at: sessionKey) notNil
] whileTrue.
sessions at: sessionKey put: newSession.
^ sessionKey
! !
--------------050807040105000000010507--