cookieSession.js
3.24 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*!
* Connect - cookieSession
* Copyright(c) 2011 Sencha Inc.
* MIT Licensed
*/
/**
* Module dependencies.
*/
var utils = require('./../utils')
, Cookie = require('./session/cookie')
, debug = require('debug')('connect:cookieSession')
, signature = require('cookie-signature')
, crc32 = require('buffer-crc32');
/**
* Cookie Session:
*
* Cookie session middleware.
*
* var app = connect();
* app.use(connect.cookieParser());
* app.use(connect.cookieSession({ secret: 'tobo!', cookie: { maxAge: 60 * 60 * 1000 }}));
*
* Options:
*
* - `key` cookie name defaulting to `connect.sess`
* - `secret` prevents cookie tampering
* - `cookie` session cookie settings, defaulting to `{ path: '/', httpOnly: true, maxAge: null }`
* - `proxy` trust the reverse proxy when setting secure cookies (via "x-forwarded-proto")
*
* Clearing sessions:
*
* To clear the session simply set its value to `null`,
* `cookieSession()` will then respond with a 1970 Set-Cookie.
*
* req.session = null;
*
* @param {Object} options
* @return {Function}
* @api public
*/
module.exports = function cookieSession(options){
// TODO: utilize Session/Cookie to unify API
options = options || {};
var key = options.key || 'connect.sess'
, trustProxy = options.proxy;
return function cookieSession(req, res, next) {
// req.secret is for backwards compatibility
var secret = options.secret || req.secret;
if (!secret) throw new Error('`secret` option required for cookie sessions');
// default session
req.session = {};
var cookie = req.session.cookie = new Cookie(options.cookie);
// pathname mismatch
if (0 != req.originalUrl.indexOf(cookie.path)) return next();
// cookieParser secret
if (!options.secret && req.secret) {
req.session = req.signedCookies[key] || {};
req.session.cookie = cookie;
} else {
// TODO: refactor
var rawCookie = req.cookies[key];
if (rawCookie) {
var unsigned = utils.parseSignedCookie(rawCookie, secret);
if (unsigned) {
var originalHash = crc32.signed(unsigned);
req.session = utils.parseJSONCookie(unsigned) || {};
req.session.cookie = cookie;
}
}
}
res.on('header', function(){
// removed
if (!req.session) {
debug('clear session');
cookie.expires = new Date(0);
res.setHeader('Set-Cookie', cookie.serialize(key, ''));
return;
}
delete req.session.cookie;
// check security
var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase()
, tls = req.connection.encrypted || (trustProxy && 'https' == proto.split(/\s*,\s*/)[0]);
// only send secure cookies via https
if (cookie.secure && !tls) return debug('not secured');
// serialize
debug('serializing %j', req.session);
var val = 'j:' + JSON.stringify(req.session);
// compare hashes, no need to set-cookie if unchanged
if (originalHash == crc32.signed(val)) return debug('unmodified session');
// set-cookie
val = 's:' + signature.sign(val, secret);
val = cookie.serialize(key, val);
debug('set-cookie %j', cookie);
res.setHeader('Set-Cookie', val);
});
next();
};
};