Release 2.12.

Author: bungle

Changes.md

@@ -2,6 +2,22 @@
 
 All notable changes to `lua-resty-session` will be documented in this file.
 
+## [2.12] - 2016-11-21
+### Added
+- Implemented pluggable session identifier generators.
+- Implemented random session idenfier generator.
+
+### Changed
+- Now checks if headers were already sent before trying to set the
+  cookie headers.
+- SSL session identifier is not checked by default anymore.
+- Lua session.identifier.length changed to session.random.length.
+- Nginx $session_identifier_length changed to $session_random_length.
+
+## [2.11] - 2016-09-30
+### Changed
+- Just another OPM release to correct the name.
+
 ## [2.10] - 2016-09-29
 ### Added
 - Support for the official OpenResty package manager (opm).

README.md

@@ -61,7 +61,6 @@ http {
 
 ## Roadmap
 
-* Add support for session id generator plugins (maybe you don't want to use random data, and want UUID or maybe some kind of database identifier instead).
 * Add support for different schemes:
     * Encrypt-and-MAC: The ciphertext is generated by encrypting the plaintext and then appending a MAC of the plaintext.
     * MAC-then-encrypt: The ciphertext is generated by appending a MAC to the plaintext and then encrypting everything.
@@ -475,6 +474,51 @@ To configure session to use your adapter, you can do so with Nginx configuration
 set $session_encoder base64;
 ```
 
+## Pluggable Session Identifier Ganerators
+
+With version 2.12 we started to support pluggable session identifier generators in `lua-resty-session`.
+Right now we support only one type of generator, and that is:
+
+* `random`
+
+If you want to write your own session identifier generator, you need to implement one function:
+
+* `string function(config)`
+
+(the config is actually a session instance =
+
+You have to place your generator inside `resty.session.identifiers` for auto-loader to work.
+
+To configure session to use your generator, you can do so with Nginx configuration (or in Lua code):
+
+```nginx
+set $session_identifier_generator random;
+```
+
+#### Random Sesssion Identifier Generator
+
+Random generator uses `lua-resty-string`'s (an OpenResty core library) OpenSSL based cryptographically
+safe random generator.
+
+Random generator can be selected with configuration:
+
+```nginx
+set $session_identifier random;
+```
+
+Additionally you can configure Random generator with these settings:
+
+```nginx
+set $session_random_length 16;
+```
+
+Here follows the description of each setting:
+
+**length**
+
+`session.random.length` holds the length of the `session.id`. By default it is 16 bytes.
+This can be configured with Nginx `set $session_random_length 16;`.
+
 ## Lua API
 
 ### Functions and Methods
@@ -532,7 +576,7 @@ expiration time stored in a cookie.
 ```lua
 local session = require "resty.session".open()
 -- Set some options (overwriting the defaults or nginx configuration variables)
-local session = require "resty.session".open{ identifier = { length = 32 }}
+local session = require "resty.session".open{ random = { length = 32 }}
 -- Read some data
 if session.present then
     ngx.print(session.data.uid)
@@ -564,7 +608,7 @@ new session was created (either because user client didn't send a cookie or that
 ```lua
 local session = require "resty.session".start()
 -- Set some options (overwriting the defaults or nginx configuration variables)
-local session = require "resty.session".start{ identifier = { length = 32 }}
+local session = require "resty.session".start{ random = { length = 32 }}
 ```
 
 #### boolean, string session:regenerate(flush or nil)
@@ -639,12 +683,6 @@ object.
 `session.destroyed` can be used to check if the `session:destroy()` was called for the current session
 object. It will also set `session.opened`, `session.started`,  and `session.present` to false.
 
-
-#### number session.identifier.length
-
-`session.identifier.length` holds the length of the `session.id`. By default it is 16 bytes.
-This can be configured with Nginx `set $session_identifier_length 16;`.
-
 #### string session.key
 
 `session.key` holds the HMAC key. It is automatically generated. Nginx configuration like
@@ -741,8 +779,8 @@ parameter is used.
 #### boolean session.check.ssi
 
 `session.check.ssi` is additional check to validate that the request was made with the same SSL
-session as when the original cookie was delivered. This check is enabled by default on non-persistent
-sessions and disabled by default on persistent sessions. Please note that on TLS with TLS Tickets enabled,
+session as when the original cookie was delivered. This check is enabled by default on releases prior 2.12 on non-persistent
+sessions and disabled by default on persistent sessions and on releases 2.12 and later. Please note that on TLS with TLS Tickets enabled,
 this will be empty) and not used. This is discussed on issue #5 (https://github.com/bungle/lua-resty-session/issues/5).
 You can disable TLS tickets with Nginx configuration:
 
@@ -804,7 +842,9 @@ and `session.start`).
 Please note that Nginx has also its own SSL/TLS caches and timeouts. Especially note `ssl_session_timeout` if you
 are running services over SSL/TLS as this will end sessions regardless of `session.cookie.lifetime`. Please adjust
 that accordingly or disable `ssl_session_id` check `session.check.ssi = false` (in code) or
-`set $session_check_ssi off;` (in Nginx configuration).
+`set $session_check_ssi off;` (in Nginx configuration). As of 2.12 checking SSL session identifier check (`$session_check_ssi` / `session.check.ssi`)
+is disabled by default because it was not reliable (most servers use session tickets now), and it usually needed
+extra configuration.
 
 You may want to add something like this to your Nginx SSL/TLS config (quite a huge cache in this example, 1 MB is
 about 4.000 SSL sessions):
@@ -846,12 +886,18 @@ set $session_cookie_samesite   Lax;
 set $session_cookie_secure     on;
 set $session_cookie_httponly   on;
 set $session_cookie_delimiter  |;
-set $session_check_ssi         on;
+set $session_check_ssi         off;
 set $session_check_ua          on;
 set $session_check_scheme      on;
 set $session_check_addr        off;
+set $session_random_length     16;
+set $session_aes_mode          cbc;
+set $session_aes_size          256;
+set $session_aes_hash          sha512;
+set $session_aes_rounds        1;
+# this is removed in 2.12, use session_random_length instead:
 set $session_identifier_length 16;
-# these are deprecated in 2.1 and removed in 2.2, use session_aes_* instead
+# these are deprecated in 2.1 and removed in 2.2, use session_aes_* instead:
 set $session_cipher_mode       cbc;
 set $session_cipher_size       256;
 set $session_cipher_hash       sha512;

lib/resty/session.lua

@@ -19,6 +19,7 @@ local function enabled(val)
 end
 
 local function setcookie(session, value, expires)
+    if ngx.headers_sent then return nil, "Attempt to set session cookie after sending out response headers." end
     local c = session.cookie
     local i = 3
     local n = session.name .. "="
@@ -94,8 +95,8 @@ local function save(session, close)
 end
 
 local function regenerate(session, flush)
-    local i = session.present and session.id or nil
-    session.id = random(session.identifier.length, true) or random(session.identifier.length)
+    local i = session.present and session.id
+    session.id = session:identifier()
     if flush then
         if i and session.storage.destroy then
             session.storage:destroy(i);
@@ -104,15 +105,15 @@ local function regenerate(session, flush)
     end
 end
 
-local persistent = enabled(var.session_cookie_persistent or false)
 local defaults = {
     name       = var.session_name       or "session",
+    identifier = var.session_identifier or "random",
     storage    = var.session_storage    or "cookie",
     serializer = var.session_serializer or "json",
     encoder    = var.session_encoder    or "base64",
     cipher     = var.session_cipher     or "aes",
     cookie = {
-        persistent = persistent,
+        persistent = enabled(var.session_cookie_persistent or false),
         renew      = tonumber(var.session_cookie_renew)    or 600,
         lifetime   = tonumber(var.session_cookie_lifetime) or 3600,
         path       = var.session_cookie_path               or "/",
@@ -122,18 +123,17 @@ local defaults = {
         httponly   = enabled(var.session_cookie_httponly   or true),
         delimiter  = var.session_cookie_delimiter          or "|"
     }, check = {
-        ssi    = enabled(var.session_check_ssi    or persistent == false),
+        ssi    = enabled(var.session_check_ssi    or false),
         ua     = enabled(var.session_check_ua     or true),
         scheme = enabled(var.session_check_scheme or true),
         addr   = enabled(var.session_check_addr   or false)
-    }, identifier = {
-        length  = tonumber(var.session_identifier_length) or 16
-    }
+    },
+
 }
 defaults.secret = var.session_secret or random(32, true) or random(32)
 
 local session = {
-    _VERSION = "2.10"
+    _VERSION = "2.12"
 }
 
 session.__index = session
@@ -147,27 +147,31 @@ function session.new(opts)
     local a, b = y.cookie     or z.cookie,     z.cookie
     local c, d = y.check      or z.check,      z.check
     local e, f = y.cipher     or z.cipher,     z.cipher
-    local g, h = y.identifier or z.identifier, z.identifier
-    local o, i = pcall(require, "resty.session.storage." .. (y.storage or z.storage))
+    local o, g = pcall(require, "resty.session.identifiers." .. (y.identifier or z.identifier))
+    if not o then
+        g = require "resty.session.identifiers.random"
+    end
+    local o, h = pcall(require, "resty.session.storage." .. (y.storage or z.storage))
     if not o then
-        i = require "resty.session.storage.cookie"
+        h = require "resty.session.storage.cookie"
     end
-    local o, j = pcall(require, "resty.session.serializers." .. (y.serializer or z.serializer))
+    local o, i = pcall(require, "resty.session.serializers." .. (y.serializer or z.serializer))
     if not o then
-        j = require "resty.session.serializers.json"
+        i = require "resty.session.serializers.json"
     end
-    local o, k = pcall(require, "resty.session.encoders." .. (y.encoder or z.encoder))
+    local o, j = pcall(require, "resty.session.encoders." .. (y.encoder or z.encoder))
     if not o then
-        k = require "resty.session.encoders.base64"
+        j = require "resty.session.encoders.base64"
     end
-    local o, l = pcall(require, "resty.session.ciphers." .. (e or f))
+    local o, k = pcall(require, "resty.session.ciphers." .. (e or f))
     if not o then
-        l = require "resty.session.ciphers.aes"
+        k = require "resty.session.ciphers.aes"
     end
     local self = {
         name       = y.name    or z.name,
-        serializer = j,
-        encoder    = k,
+        identifier = g,
+        serializer = i,
+        encoder    = j,
         data       = y.data    or {},
         secret     = y.secret  or z.secret,
         cookie = {
@@ -185,12 +189,10 @@ function session.new(opts)
             ua         = c.ua         or d.ua,
             scheme     = c.scheme     or d.scheme,
             addr       = c.addr       or d.addr
-        }, identifier = {
-            length     = g.length     or h.length
         }
     }
-    self.storage = i.new(self)
-    self.cipher = l.new(self)
+    self.storage = h.new(self)
+    self.cipher = k.new(self)
     return setmetatable(self, session)
 end
 
@@ -268,13 +270,16 @@ function session.start(opts)
     local self, present = session.open(opts)
     if present then
         if self.storage.start then
-            self.storage:start(self.id)
+            local ok, err = self.storage:start(self.id)
+            if not ok then return nil, err end
         end
         if self.expires - time() < self.cookie.renew then
-            save(self)
+            local ok, err = save(self)
+            if not ok then return nil, err end
         end
     else
-        save(self)
+        local ok, err = save(self)
+        if not ok then return nil, err end
     end
     self.started = true
     return self, present
@@ -287,7 +292,7 @@ end
 
 function session:save(close)
     if not self.id then
-        self.id = random(self.identifier.length, true) or random(self.identifier.length)
+        self.id = self:identifier()
     end
     return save(self, close ~= false)
 end

lib/resty/session/identifiers/random.lua

@@ -0,0 +1,13 @@
+local tonumber = tonumber
+local random = require "resty.random".bytes
+local var = ngx.var
+
+local defaults = {
+    length = tonumber(var.session_random_length) or 16
+}
+
+return function(config)
+    local c = config.random or defaults
+    local l = c.length or defaults.length
+    return random(l, true) or random(l)
+end

lua-resty-session-dev-1.rockspec

@@ -4,7 +4,7 @@ source = {
     url = "git://github.com/bungle/lua-resty-session.git"
 }
 description = {
-    summary = "Session library for OpenResty implementing Secure Cookie Protocol",
+    summary = "Session Library for OpenResty – Flexible and Secure",
     detailed = "lua-resty-session is a secure, and flexible session library for OpenResty.",
     homepage = "https://github.com/bungle/lua-resty-session",
     maintainer = "Aapo Talvensaari <[email protected]>",
@@ -16,17 +16,18 @@ dependencies = {
 build = {
     type = "builtin",
     modules = {
-        ["resty.session"]                   = "lib/resty/session.lua",
-        ["resty.session.storage.shm"]       = "lib/resty/session/storage/shm.lua",
-        ["resty.session.storage.redis"]     = "lib/resty/session/storage/redis.lua",
-        ["resty.session.storage.cookie"]    = "lib/resty/session/storage/cookie.lua",
-        ["resty.session.storage.memcache"]  = "lib/resty/session/storage/memcache.lua",
-        ["resty.session.storage.memcached"] = "lib/resty/session/storage/memcached.lua",
-        ["resty.session.ciphers.aes"]       = "lib/resty/session/ciphers/aes.lua",
-        ["resty.session.ciphers.none"]      = "lib/resty/session/ciphers/none.lua",
-        ["resty.session.encoders.hex"]      = "lib/resty/session/encoders/hex.lua",
-        ["resty.session.encoders.base16"]   = "lib/resty/session/encoders/base16.lua",
-        ["resty.session.encoders.base64"]   = "lib/resty/session/encoders/base64.lua",
-        ["resty.session.serializers.json"]  = "lib/resty/session/serializers/json.lua"
+        ["resty.session"]                    = "lib/resty/session.lua",
+        ["resty.session.identifiers.random"] = "lib/resty/session/identifiers/random.lua",
+        ["resty.session.storage.shm"]        = "lib/resty/session/storage/shm.lua",
+        ["resty.session.storage.redis"]      = "lib/resty/session/storage/redis.lua",
+        ["resty.session.storage.cookie"]     = "lib/resty/session/storage/cookie.lua",
+        ["resty.session.storage.memcache"]   = "lib/resty/session/storage/memcache.lua",
+        ["resty.session.storage.memcached"]  = "lib/resty/session/storage/memcached.lua",
+        ["resty.session.ciphers.aes"]        = "lib/resty/session/ciphers/aes.lua",
+        ["resty.session.ciphers.none"]       = "lib/resty/session/ciphers/none.lua",
+        ["resty.session.encoders.hex"]       = "lib/resty/session/encoders/hex.lua",
+        ["resty.session.encoders.base16"]    = "lib/resty/session/encoders/base16.lua",
+        ["resty.session.encoders.base64"]    = "lib/resty/session/encoders/base64.lua",
+        ["resty.session.serializers.json"]   = "lib/resty/session/serializers/json.lua"
     }
 }