/*! * Connect - session * Copyright(c) 2010 Sencha Inc. * Copyright(c) 2011 TJ Holowaychuk * MIT Licensed */ /** * Module dependencies. */ var Session = require('./session/session') , MemoryStore = require('./session/memory') , Cookie = require('./session/cookie') , Store = require('./session/store') , utils = require('./../utils') , parse = require('url').parse , crypto = require('crypto'); // environment var env = process.env.NODE_ENV; /** * Expose the middleware. */ exports = module.exports = session; /** * Expose constructors. */ exports.Store = Store; exports.Cookie = Cookie; exports.Session = Session; exports.MemoryStore = MemoryStore; /** * Warning message for `MemoryStore` usage in production. */ var warning = 'Warning: connection.session() MemoryStore is not\n' + 'designed for a production environment, as it will leak\n' + 'memory, and obviously only work within a single process.'; /** * Default finger-printing function. */ function defaultFingerprint(req) { var ua = req.headers['user-agent'] || ''; return ua.replace(/;?\schromeframe\/[\d\.]+/, ''); }; /** * Paths to ignore. */ exports.ignore = []; /** * Setup session store with the given `options`. * * Session data is _not_ saved in the cookie itself, however * cookies are used, so we must use the [cookieParser()](middleware-cookieParser.html) * middleware _before_ `session()`. * * Examples: * * connect.createServer( * connect.cookieParser() * , connect.session({ secret: 'keyboard cat' }) * ); * * Options: * * - `key` cookie name defaulting to `connect.sid` * - `store` Session store instance * - `fingerprint` Custom fingerprint generating function * - `cookie` Session cookie settings, defaulting to `{ path: '/', httpOnly: true, maxAge: 14400000 }` * - `secret` Secret string used to compute hash * * Ignore Paths: * * By default `/favicon.ico` is the only ignored path, all others * will utilize sessions, to manipulate the paths ignored, use * `connect.session.ignore.push('/my/path')`. This works for _full_ * pathnames only, not segments nor substrings. * * connect.session.ignore.push('/robots.txt'); * * ## req.session * * To store or access session data, simply use the request property `req.session`, * which is (generally) serialized as JSON by the store, so nested objects * are typically fine. For example below is a user-specific view counter: * * connect( * connect.cookieParser() * , connect.session({ secret: 'keyboard cat', cookie: { maxAge: 60000 }}) * , connect.favicon() * , function(req, res, next){ * var sess = req.session; * if (sess.views) { * res.setHeader('Content-Type', 'text/html'); * res.write('

views: ' + sess.views + '

'); * res.write('

expires in: ' + (sess.cookie.maxAge / 1000) + 's

'); * res.end(); * sess.views++; * } else { * sess.views = 1; * res.end('welcome to the session demo. refresh!'); * } * } * ).listen(3000); * * ## Session#regenerate() * * To regenerate the session simply invoke the method, once complete * a new SID and `Session` instance will be initialized at `req.session`. * * req.session.regenerate(function(err){ * // will have a new session here * }); * * ## Session#destroy() * * Destroys the session, removing `req.session`, will be re-generated next request. * * req.session.destroy(function(err){ * // cannot access session here * }); * * ## Session#reload() * * Reloads the session data. * * req.session.reload(function(err){ * // session updated * }); * * ## Session#save() * * Save the session. * * req.session.save(function(err){ * // session saved * }); * * ## Session#touch() * * Updates the `.maxAge`, and `.lastAccess` properties. Typically this is * not necessary to call, as the session middleware does this for you. * * ## Session#cookie * * Each session has a unique cookie object accompany it. This allows * you to alter the session cookie per visitor. For example we can * set `req.session.cookie.expires` to `false` to enable the cookie * to remain for only the duration of the user-agent. * * ## Session#maxAge * * Alternatively `req.session.cookie.maxAge` will return the time * remaining in milliseconds, which we may also re-assign a new value * to adjust the `.expires` property appropriately. The following * are essentially equivalent * * var hour = 3600000; * req.session.cookie.expires = new Date(Date.now() + hour); * req.session.cookie.maxAge = hour; * * For example when `maxAge` is set to `60000` (one minute), and 30 seconds * has elapsed it will return `30000` until the current request has completed, * at which time `req.session.touch()` is called to update `req.session.lastAccess`, * and reset `req.session.maxAge` to its original value. * * req.session.cookie.maxAge; * // => 30000 * * Session Store Implementation: * * Every session store _must_ implement the following methods * * - `.get(sid, callback)` * - `.set(sid, session, callback)` * - `.destroy(sid, callback)` * * Recommended methods include, but are not limited to: * * - `.length(callback)` * - `.clear(callback)` * * For an example implementation view the [connect-redis](http://github.com/visionmedia/connect-redis) repo. * * @param {Object} options * @return {Function} * @api public */ function session(options){ var options = options || {} , key = options.key || 'connect.sid' , secret = options.secret , store = options.store || new MemoryStore , fingerprint = options.fingerprint || defaultFingerprint , cookie = options.cookie; // notify user that this store is not // meant for a production environment if ('production' == env && store instanceof MemoryStore) { console.warn(warning); } // ensure secret is present if (!secret) { throw new Error('connect.session({ secret: "string" }) required for security'); } // session hashing function store.hash = function(req, base) { return crypto .createHmac('sha256', secret) .update(base + fingerprint(req)) .digest('base64') .replace(/=*$/, ''); }; // generates the new session store.generate = function(req){ var base = utils.uid(24); var sessionID = base + '.' + store.hash(req, base); req.sessionID = sessionID; req.session = new Session(req); req.session.cookie = new Cookie(cookie); }; return function session(req, res, next) { // self-awareness if (req.session) return next(); // parse url var url = parse(req.url) , path = url.pathname; // ignorable paths if (~exports.ignore.indexOf(path)) return next(); // expose store req.sessionStore = store; // proxy writeHead() to Set-Cookie var writeHead = res.writeHead; res.writeHead = function(status, headers){ if (req.session) { var cookie = req.session.cookie; // only send secure session cookies when there is a secure connection. // proxySecure is a custom attribute to allow for a reverse proxy // to handle SSL connections and to communicate to connect over HTTP that // the incoming connection is secure. var secured = cookie.secure && (req.connection.encrypted || req.connection.proxySecure); if (secured || !cookie.secure) { res.setHeader('Set-Cookie', cookie.serialize(key, req.sessionID)); } } res.writeHead = writeHead; return res.writeHead(status, headers); }; // proxy end() to commit the session var end = res.end; res.end = function(data, encoding){ res.end = end; if (req.session) { // HACK: ensure Set-Cookie for implicit writeHead() if (!res._header) res._implicitHeader(); req.session.resetMaxAge(); req.session.save(function(){ res.end(data, encoding); }); } else { res.end(data, encoding); } }; // session hashing function hash(base) { return store.hash(req, base); } // generate the session function generate() { store.generate(req); } // get the sessionID from the cookie req.sessionID = req.cookies[key]; // make a new session if the browser doesn't send a sessionID if (!req.sessionID) { generate(); next(); return; } // check the fingerprint var parts = req.sessionID.split('.'); if (parts[1] != hash(parts[0])) { generate(); next(); return; } // generate the session object var pause = utils.pause(req); store.get(req.sessionID, function(err, sess){ // proxy to resume() events var _next = next; next = function(err){ _next(err); pause.resume(); } // error handling if (err) { if ('ENOENT' == err.code) { generate(); next(); } else { next(err); } // no session } else if (!sess) { generate(); next(); // populate req.session } else { store.createSession(req, sess); next(); } }); }; };