diff options
author | Nathan Angelacos <nangel@tetrasec.net> | 2007-11-15 21:58:58 +0000 |
---|---|---|
committer | Nathan Angelacos <nangel@tetrasec.net> | 2007-11-15 21:58:58 +0000 |
commit | 4ec03d0ebb3c191d2344e0e7c8586605dd2d1804 (patch) | |
tree | 908a7c0144f5ae6e9b50043a0bb2dc6cf226bba1 /lib/session.lua | |
parent | 1b76b8d1389f9609269b5fe14a34afa92a6cec0c (diff) | |
download | acf-core-4ec03d0ebb3c191d2344e0e7c8586605dd2d1804.tar.bz2 acf-core-4ec03d0ebb3c191d2344e0e7c8586605dd2d1804.tar.xz |
Session library now records events of notice when an invalid sessionid
is given, and does lazy saves for empty sessions
git-svn-id: svn://svn.alpinelinux.org/acf/core/trunk@309 ab2d0c66-481e-0410-8bed-d214d4d58bed
Diffstat (limited to 'lib/session.lua')
-rw-r--r-- | lib/session.lua | 59 |
1 files changed, 48 insertions, 11 deletions
diff --git a/lib/session.lua b/lib/session.lua index fc7ecde..149f5aa 100644 --- a/lib/session.lua +++ b/lib/session.lua @@ -1,6 +1,15 @@ -- Session handling routines - written for acf -- Copyright (C) 2007 N. Angelacos - GPL2 License + +--[[ Note that in this library, we use empty (0 byte) files +-- everwhere we can, as they only take up dir entries, not inodes +-- as the tmpfs blocksize is 4K, and under denial of service +-- attacks hundreds or thousands of events can come in each +-- second, we could end up in a disk full condition if we did +-- not take this precaution. +-- ]]-- + module (..., package.seeall) require "posix" @@ -79,31 +88,48 @@ end save_session = function( sessionpath, session, sessiontable) local file = io.open(sessionpath .. "/session." .. session , "w") - if file then - file:write ( "-- This is an ACF session table.\nlocal timestamp=" .. os.time() ) + if file == nil then + return false + end + + local id = sessiontable.id + + -- clear the id key + sessiontable.id = nil + -- count the keys + local count = 0 + for k,v in pairs (sessiontable) do + count = count + 1 + end + -- If the table only has an "id" field, then don't save it + if count > 0 and file then + file:write ( "-- This is an ACF session table.\n") file:write ( "\nlocal " ) file:write ( serialize("s", sessiontable) ) - file:write ( "return timestamp, s\n") - file:close() - return true - else - return false + file:write ( "return s\n") end + file:close() + sessiontable.id=id + return true end -- Loads a session -- Returns a timestamp (when the session data was saved) and the session table. +-- We insert a "id" field from the "session" load_session = function ( sessionpath, session ) + local s = {} -- session can only have b64 characters in it session = string.gsub ( session or "", "[^" .. b64 .. "]", "") if #session == 0 then return nil, {} end - session = sessionpath .. "/session." .. session - if (posix.stat(session)) then - local file = io.open(session) - return dofile(session) + local spath = sessionpath .. "/session." .. session + local ts = posix.stat(spath, "ctime") + if (ts) then + s = dofile(spath) or {} + s.id = session + return ts, s else return nil, {} end @@ -121,3 +147,14 @@ unlink_session = function (sessionpath, session) return nil end + +-- Record an invalid login event +-- ID would typically be an ip address or username +-- the format is lockevent.id.datetime.processid +record_event = function( sessionpath, id ) + local x = io.open (string.format ("%s/lockevent.%s.%s.%s", + sessionpath or "/", id or "", os.time(), + (posix.getpid("pid")) or "" ), "w") + io.close(x) +end + |