|
NAMEHTTP::Session2 - HTTP session managementSYNOPSISpackage MyApp; use HTTP::Session2; my $cipher = Crypt::CBC->new( { key => 'abcdefghijklmnop', cipher => 'Rijndael', } ); sub session { my $self = shift; if (!exists $self->{session}) { $self->{session} = HTTP::Session2::ClientStore2->new( env => $env, secret => 'very long secret string' cipher => $cipher, ); } $self->{session}; } __PACKAGE__->add_trigger( AFTER_DISPATCH => sub { my ($c, $res) = @_; if ($c->{session}) { $c->{session}->finalize_plack_response($res); } }, ); DESCRIPTIONHTTP::Session2 is yet another HTTP session data management library.RELEASE STATEAlpha. Any API will change without notice.MOTIVATIONWe need a thrifty session management library.What's different from HTTP::Session 1?Generate XSRF protection token by session management libraryMost of web application needs XSRF protection library.tokuhirom guess XSRF token is closely related with session management. Dropped StickyQuery supportIn Japan, old DoCoMo's phone does not support cookie. Then, we need to support query parameter based session management.But today, Japanese people are using smart phone :) We don't have to support legacy phones on new project. Automatic XSRF token sending.This is an example code for filling XSRF token. This code requires jQuery.$(function () { "use strict"; var xsrf_token = getXSRFToken(); $("form").each(function () { var form = $(this); var method = form.attr('method'); if (method === 'get' || method === 'GET') { return; } var input = $(document.createElement('input')); input.attr('type', 'hidden'); input.attr('name', 'XSRF-TOKEN'); input.attr('value', xsrf_token); form.prepend(input); }); function getXSRFToken() { var cookies = document.cookie.split(/\s*;\s*/); for (var i=0,l=cookies.length; i<l; i++) { var matched = cookies[i].match(/^XSRF-TOKEN=(.*)$/); if (matched) { return matched[1]; } } return undefined; } }); Validate XSRF token in your applicationYou need to call XSRF validator.__PACKAGE__->add_trigger( BEFORE_DISPATCH => sub { my $c = shift; my $req = $c->req; if ($req->method ne 'GET' && $req->method ne 'HEAD') { my $xsrf_token = $req->header('X-XSRF-TOKEN') || $req->param('xsrf-token'); unless ($session->validate_xsrf_token($xsrf_token)) { return [ 403, [], ['XSRF detected'], ]; } } return; } ); pros/cons for ServerStore/ClientStore2ServerStorepros
cons
ClientStore2pros
cons
FAQ
LICENSECopyright (C) tokuhirom.This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself. AUTHORtokuhirom <tokuhirom@gmail.com>CONTRIBUTORSmagai
Visit the GSP FreeBSD Man Page Interface. |