more secure session management

use random identifiers bind open transactions to the session
author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2013-03-15 12:42:16 +0200
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2013-03-15 12:42:16 +0200
commit: 249ba17326502ee6ef26808c84df1829175a441f (patch)
tree: 87e2059821e433dcee9afde0c865fdd2caa07875 /server.lua
parent: 6400d3b0f3576ca3bc1278fe6706d7de7fffe1fe (diff)
download: acf2-249ba17326502ee6ef26808c84df1829175a441f.tar.bz2
acf2-249ba17326502ee6ef26808c84df1829175a441f.tar.xz
1 files changed, 19 insertions, 20 deletions
diff --git a/server.lua b/server.lua
index 592e1e1..0bd5553 100644
--- a/server.lua
+++ b/server.lua
@@ -10,16 +10,11 @@ require 'json'
 require 'stringy'
 
 
--- TODO shared storage for login sessions
-local last_sid = 0
-local sessions = {}
-
--- TODO implement transactions as threads or store their state in
--- shared storage
-local last_txn_id = 0
-local txns = {}
+math.randomseed(os.time())
 
--- TODO expire stale sessions and transactions
+-- TODO shared storage for sessions
+-- TODO expire stale sessions
+local sessions = {}
 
 
 return function(env)
@@ -57,16 +52,17 @@ return function(env)
 	  end
 
 	  local sid = tonumber(env.HTTP_X_ACF_AUTH_TOKEN)
-	  local user, txn_id
+	  local session, user, txn_id
 	  if sid then
-	     user = sessions[sid]
-	     if not user then return wrap(401) end
+	     session = sessions[sid]
+	     if not session then return wrap(401) end
+	     user = session.user
 	     txn_id = tonumber(env.HTTP_X_ACF_TRANSACTION_ID)
 	  end
 
 	  local parent_txn
 	  if txn_id then
-	     parent_txn = txns[txn_id]
+	     parent_txn = session.txns[txn_id]
 	     if not parent_txn then
 		return wrap(400, nil, 'Invalid transaction ID')
 	     end
@@ -88,9 +84,12 @@ return function(env)
 		end
 		fetch_user(data.username)
 		if user and user:check_password(data.password) then
-		   last_sid = last_sid + 1
-		   local sid = last_sid
-		   sessions[sid] = data.username
+		   local sid
+		   repeat
+		      sid = math.floor(math.random() * 2^32)
+		   until not sessions[sid]
+
+		   sessions[sid] = {user=data.username, last_txn_id=0, txns={}}
 		   return wrap(204, {['X-ACF-Auth-Token']=sid})
 		end
 		return wrap(401)
@@ -163,15 +162,15 @@ return function(env)
 		   if ({DELETE=true, PUT=true})[method] then
 		      if not txn_id then return 405 end
 		      if method == 'PUT' then parent_txn:commit() end
-		      txns[txn_id] = nil
+		      session.txns[txn_id] = nil
 		      return 204
 		   end
 
 		   if method ~= 'POST' then return 405 end
 
-		   last_txn_id = last_txn_id + 1
-		   local txn_id = last_txn_id
-		   txns[txn_id] = acf.transaction.start(parent_txn)
+		   session.last_txn_id = session.last_txn_id + 1
+		   local txn_id = session.last_txn_id
+		   session.txns[txn_id] = acf.transaction.start(parent_txn)
 		   return 204, {['X-ACF-Transaction-ID']=txn_id}
 		end
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2013-03-15 12:42:16 +0200
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2013-03-15 12:42:16 +0200
commit	249ba17326502ee6ef26808c84df1829175a441f (patch)
tree	87e2059821e433dcee9afde0c865fdd2caa07875 /server.lua
parent	6400d3b0f3576ca3bc1278fe6706d7de7fffe1fe (diff)
download	acf2-249ba17326502ee6ef26808c84df1829175a441f.tar.bz2 acf2-249ba17326502ee6ef26808c84df1829175a441f.tar.xz