view release on metacpan or  search on metacpan

lib/Apache/ASP/Session.pm  view on Meta::CPAN

use strict;
no strict qw(refs);
use vars qw(@ISA);
@ISA = qw(Apache::ASP::Collection);

# allow to pass in id so we can cleanup other sessions with 
# the session manager
sub new {
    my($asp, $id, $perms, $no_error) = @_;
    my($state, %self, $started);
    my $internal = $asp->{Internal};

    # if we are passing in the id, then we are doing a 
    # quick session lookup and can bypass the normal checks
    # this is useful for the session manager and such
    if($id) {
	$internal->LOCK;
	$state = Apache::ASP::State::new($asp, $id, undef, $perms, $no_error);
	#	$state->Set() || $asp->Error("session state get failed");
	if($state) {
	    tie %self, 'Apache::ASP::Session', 
	    {
	     state=>$state, 
	     asp=>$asp, 
	     id=>$id,
	    };
	    $internal->UNLOCK;
	    return bless \%self;
	} else {
	    $internal->UNLOCK;
	    return;
	}
    }

    # lock down so no conflict with garbage collection
    $internal->LOCK();
    if($id = $asp->SessionId()) {
	my $idata = $internal->{$id};
	#	$asp->Debug("internal data for session $id", $idata);
	if($idata && ! $idata->{'end'} ) {
	    # user is authentic, since the id is in our internal hash
	    if($idata->{timeout} > time()) {
		# refresh and unlock as early as possible to not conflict 
		# with garbage collection
		$asp->RefreshSessionId($id);
		$state = Apache::ASP::State::new($asp, $id);
		$internal->UNLOCK();

		# session not expired
		$asp->{dbg} && 
		  $asp->Debug("session not expired",{'time'=>time(), timeout=>$idata->{timeout}});

		if($asp->{paranoid_session}) {
		    local $^W = 0;
		    # by testing for whether UA was set to begin with, we 
		    # allow a smooth upgrade to ParanoidSessions
		    $state->WriteLock() if $asp->{session_serialize};
		    my $state_ua = $state->FETCH('_UA');
		    if(defined($state_ua) and $state_ua ne $asp->{'ua'}) {
			$asp->Log("[security] hacker guessed id $id; ".
				  "user-agent ($asp->{'ua'}) does not match ($state_ua); ".
				  "destroying session & establishing new session id"
				  );
			$state->Init();
			undef $state;
			goto NEW_SESSION_ID;		    
		    }
		}

		$started = 0;
	    } else {
		# expired, get & reset
		$internal->{$id} = { %{$internal->{$id}}, 'end' => 1 };
		$internal->UNLOCK();	      

		# remove this section, allow lazy cleanup, this caused a bug 
		# in which sessions cleared in this way, but didn't have their files cleaned up 
		# would have their timeout restored later
		#
#		$asp->Debug("session $id timed out, clearing");
#		$asp->{GlobalASA}->SessionOnEnd($id);
#		$internal->LOCK();
#		delete $internal->{$id};
#		$internal->UNLOCK();
		
		# we need to create a new state now after the clobbering
		# with SessionOnEnd
		goto NEW_SESSION_ID;
	    }
	} else {
	    # never seen before, maybe session garbage collected already
	    # or coming in from querystringed search engine

	    # wish we could do more 
	    # but proxying + nat prevents us from securing via ip address
	    goto NEW_SESSION_ID;
	}
    } else {
	# give user new session id, we must lock this portion to avoid
	# concurrent identical session key creation, this is the 
	# only critical part of the session manager

      NEW_SESSION_ID:
	my($trys);
	for(1..10) {
	    $trys++;
	    $id = $asp->Secret();

	    if($internal->{$id}) {
		$id = '';
	    } else {
		last;
	    }
	}

	$id && $asp->RefreshSessionId($id, {});
	$asp->{Internal}->UNLOCK();	

	$asp->Log("[security] secret algorithm is no good with $trys trys")
	    if ($trys > 3);