Release 2.2, fixing issue #18.

Author: bungle

CHANGES

@@ -1,3 +1,17 @@
+Changes with lua-resty-session 2.2                               17 Sep 2015
+
+    *) Change: Removed all session_cipher_* deprecated settings
+       (it was somewhat broken in 2.1).
+
+    *) Change: Changed session secret to be by default 32 bytes random data
+
+    See Also: https://github.com/bungle/lua-resty-session/issues/18
+
+    Thanks @iain-buclaw-sociomantic
+
+    *) Documentation: Added documentation about removed features and
+       corrected about session secret size accordingly.
+
 Changes with lua-resty-session 2.1                                7 Sep 2015
 
     *) Feature: Added architecture for Cipher adapter plugins.

README.md

@@ -102,9 +102,8 @@ pluggable cipher adapters. You can also disable encryption by choosing `none` ad
 
 Session identifier length is by default 16 bytes (randomly generated data with OpenSSL
 `RAND_pseudo_bytes` function). The server secret is also generated by default with this same
-function, and its length is determined by calculating the used `$session_aes_size` divided
-by 8 (so by default it uses 32 bytes). This will work until Nginx is restarted, but you might want
-to consider setting your own secret using `set $session_secret 623q4hR325t36VsCD3g567922IC0073T;`,
+function and it's default length is 32 bytes. This will work until Nginx is restarted, but you
+might want to consider setting your own secret using `set $session_secret 623q4hR325t36VsCD3g567922IC0073T;`,
 for example (this will work in farms installations as well, but you are then responsible for
 rotating the secret). On farm installations you should also configure other session configuration
 variables the same on all the servers in the farm.
@@ -745,28 +744,28 @@ as where the original cookie was delivered. This check is disabled by default.
 `session.check.scheme` is additional check to validate that the request was made using the same protocol 
 as the one used when the original cookie was delivered. This check is enabled by default.
 
-#### number session.cipher.size (deprecated in 2.1, use session.aes.size)
+#### number session.cipher.size (deprecated in 2.1 and removed in 2.2, use session.aes.size)
 
 `session.cipher.size` holds the size of the cipher (`lua-resty-string` supports AES in `128`, `192`,
 and `256` bits key sizes). See `aes.cipher` function in `lua-resty-string` for more information.
 By default this will use `256` bits key size. This can be configured with Nginx
 `set $session_cipher_size 256;`.
 
-#### string session.cipher.mode (deprecated in 2.1, use session.aes.mode)
+#### string session.cipher.mode (deprecated in 2.1 and removed in 2.2, use session.aes.mode)
 
 `session.cipher.mode` holds the mode of the cipher. `lua-resty-string` supports AES in `ecb`, `cbc`,
 `cfb1`, `cfb8`, `cfb128`, `ofb`, and `ctr` modes (ctr mode is not available with 256 bit keys).
 See `aes.cipher` function in `lua-resty-string` for more information. By default `cbc` mode is
 used. This can be configured with Nginx `set $session_cipher_mode cbc;`.
 
-#### function session.cipher.hash (deprecated in 2.1, use session.aes.hash)
+#### function session.cipher.hash (deprecated in 2.1 and removed in 2.2, use session.aes.hash)
 
 `session.cipher.hash` is used in ecryption key, and iv derivation (see: OpenSSL
 [EVP_BytesToKey](https://www.openssl.org/docs/crypto/EVP_BytesToKey.html)). By default `sha512` is
 used but `md5`, `sha1`, `sha224`, `sha256`, and `sha384` are supported as well in `lua-resty-string`.
 This can be configured with Nginx `set $session_cipher_hash sha512;`.
 
-#### number session.cipher.rounds (deprecated in 2.1, use session.aes.rounds)
+#### number session.cipher.rounds (deprecated in 2.1 and removed in 2.2, use session.aes.rounds)
 
 `session.cipher.rounds` can be used to slow-down the encryption key, and iv derivation. By default
 this is set to `1` (the fastest). This can be configured with Nginx `set $session_cipher_rounds 1;`.
@@ -830,7 +829,7 @@ set $session_check_ua          on;
 set $session_check_scheme      on;
 set $session_check_addr        off;
 set $session_identifier_length 16;
-# these are deprecated in 2.1, use session_aes_* instead
+# these are deprecated in 2.1 and removed in 2.2, use session_aes_* instead
 set $session_cipher_mode       cbc;
 set $session_cipher_size       256;
 set $session_cipher_hash       sha512;

lib/resty/session.lua

@@ -129,10 +129,10 @@ local defaults = {
         length  = tonumber(ngx_var.session_identifier_length) or 16
     }
 }
-defaults.secret = ngx_var.session_secret or random(defaults.cipher.size / 8)
+defaults.secret = ngx_var.session_secret or random(32)
 
 local session = {
-    _VERSION = "2.1"
+    _VERSION = "2.2"
 }
 
 session.__index = session
@@ -159,6 +159,10 @@ function session.new(opts)
     if not o then
         k = require "resty.session.encoders.base64"
     end
+    local o, l = pcall(require, "resty.session.ciphers." .. (e or f))
+    if not o then
+        l = require "resty.session.ciphers.aes"
+    end
     local self = {
         name       = y.name    or z.name,
         serializer = j,
@@ -173,7 +177,7 @@ function session.new(opts)
             domain     = a.domain     or b.domain,
             secure     = a.secure     or b.secure,
             httponly   = a.httponly   or b.httponly,
-            delimiter  = a.delimiter  or b.delimiter,
+            delimiter  = a.delimiter  or b.delimiter
         }, check = {
             ssi        = c.ssi        or d.ssi,
             ua         = c.ua         or d.ua,
@@ -184,15 +188,6 @@ function session.new(opts)
         }
     }
     self.storage = i.new(self)
-    if type(e) == "table" then
-        -- This is for backward compability
-        self.aes = e
-        e = "aes"
-    end
-    local o, l = pcall(require, "resty.session.ciphers." .. (e or f))
-    if not o then
-        l = require "resty.session.ciphers.aes"
-    end
     self.cipher = l.new(self)
     return setmetatable(self, session)
 end