/*! * Connect - cookieSession * Copyright(c) 2011 Sencha Inc. * MIT Licensed */ /** * Module dependencies. */ var utils = require('./../utils') , Cookie = require('./session/cookie') , debug = require('debug')('connect:cookieSession') , signature = require('cookie-signature') , crc32 = require('buffer-crc32'); /** * Cookie Session: * * Cookie session middleware. * * var app = connect(); * app.use(connect.cookieParser()); * app.use(connect.cookieSession({ secret: 'tobo!', cookie: { maxAge: 60 * 60 * 1000 }})); * * Options: * * - `key` cookie name defaulting to `connect.sess` * - `secret` prevents cookie tampering * - `cookie` session cookie settings, defaulting to `{ path: '/', httpOnly: true, maxAge: null }` * - `proxy` trust the reverse proxy when setting secure cookies (via "x-forwarded-proto") * * Clearing sessions: * * To clear the session simply set its value to `null`, * `cookieSession()` will then respond with a 1970 Set-Cookie. * * req.session = null; * * @param {Object} options * @return {Function} * @api public */ module.exports = function cookieSession(options){ // TODO: utilize Session/Cookie to unify API options = options || {}; var key = options.key || 'connect.sess' , trustProxy = options.proxy; return function cookieSession(req, res, next) { // req.secret is for backwards compatibility var secret = options.secret || req.secret; if (!secret) throw new Error('`secret` option required for cookie sessions'); // default session req.session = {}; var cookie = req.session.cookie = new Cookie(options.cookie); // pathname mismatch if (0 != req.originalUrl.indexOf(cookie.path)) return next(); // cookieParser secret if (!options.secret && req.secret) { req.session = req.signedCookies[key] || {}; req.session.cookie = cookie; } else { // TODO: refactor var rawCookie = req.cookies[key]; if (rawCookie) { var unsigned = utils.parseSignedCookie(rawCookie, secret); if (unsigned) { var originalHash = crc32.signed(unsigned); req.session = utils.parseJSONCookie(unsigned) || {}; req.session.cookie = cookie; } } } res.on('header', function(){ // removed if (!req.session) { debug('clear session'); cookie.expires = new Date(0); res.setHeader('Set-Cookie', cookie.serialize(key, '')); return; } delete req.session.cookie; // check security var proto = (req.headers['x-forwarded-proto'] || '').toLowerCase() , tls = req.connection.encrypted || (trustProxy && 'https' == proto) , secured = cookie.secure && tls; // only send secure cookies via https if (cookie.secure && !secured) return debug('not secured'); // serialize debug('serializing %j', req.session); var val = 'j:' + JSON.stringify(req.session); // compare hashes, no need to set-cookie if unchanged if (originalHash == crc32.signed(val)) return debug('unmodified session'); // set-cookie val = 's:' + signature.sign(val, secret); val = cookie.serialize(key, val); debug('set-cookie %j', cookie); res.setHeader('Set-Cookie', val); }); next(); }; };