raxx

v0.14.13

raxx v0.14.13 Raxx.Session.SignedCookie

Use signed cookies to store the session for a client.

Sessions stored this way are signed to ensure that they have not been tampered. The secret given to config must be kept secure to prevent sessions being tampered

NOTE: the session is not encrypted so a user can read any value from the session, they are just unable to modify it.

Configuring sessions

Configuration is required to use signed cookies a session store. The most important value is the secret that is used when signing and verifying. To set up an new configuration use config/1.

It often makes sense to keep your session config in the application state

def handle_request(request, %{sessions: session_config})

Working with sessions

A session can be any term. Use embed/3 to set a new session value for a client. Embedding a new session value will override any previouse value.

iex> config = SignedCookie.config(secret: "eggplant")
...> Raxx.response(:no_content)
...> |> SignedCookie.embed({:user, 25}, config)
...> |> Raxx.get_header("set-cookie")
"raxx.session=g2gCZAAEdXNlcmEZ--gpW5K8Pgle9isXR5Qymz4m2VEU1DuEosNfgpLTQuRn0=; path=/; HttpOnly"

A client that has received a session should send it with all subequent requests. A session can be retrieved using extract/2. This step will also verify that the session has not been tampered with.

iex> config = SignedCookie.config(secret: "eggplant")
...> Raxx.request(:GET, "/")
...> |> Raxx.set_header("cookie", "raxx.session=g2gCZAAEdXNlcmEZ--gpW5K8Pgle9isXR5Qymz4m2VEU1DuEosNfgpLTQuRn0=")
...> |> SignedCookie.extract(config)
{:ok, {:user, 25}}

iex> config = SignedCookie.config(secret: "eggplant")
...> Raxx.request(:GET, "/")
...> |> Raxx.set_header("cookie", "raxx.session=g2gCZAAEdXNlcmEZ--sfbxaB-IEgUt_NwdmmZpJny9OzOx15D-6uwusW6X1ZY=")
...> |> SignedCookie.extract(config)
{:error, :could_not_verify_signature}

A session can be concluded by marking as expired. For example in response to a users sign out request.

iex> config = SignedCookie.config(secret: "eggplant")
...> Raxx.response(:no_content)
...> |> SignedCookie.expire(config)
...> |> Raxx.get_header("set-cookie")
"raxx.session=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT; max-age=0; HttpOnly"

NOTE

  • This module will be extracted from the Raxx project before 1.0 release.
  • The Rack.Session.Cookie module was the inspiration for this functionality. https://github.com/rack/rack/blob/master/lib/rack/session/cookie.rb

Link to this section Summary

Functions

config(options)

Setup configuration to work with sessions

embed(response, session, session_config)

Overwrite a clients session with a new value

expire(response, session_config)

Sent a response to client informing it to clear a session

extract(request, session_config)

Extract and verify the session sent from a client

Link to this section Functions

Link to this function config(options)

Setup configuration to work with sessions

Options

  • secret: (required) a secure random value used for signing session data.
  • cookie_name: default is "raxx.session"
  • previous_secrets: acceptable secrets to verify against old sessions.
Link to this function embed(response, session, session_config)

Overwrite a clients session with a new value.

Link to this function expire(response, session_config)

Sent a response to client informing it to clear a session.

Link to this function extract(request, session_config)

Extract and verify the session sent from a client.