happstack-clientsession 7.1.0 → 7.1.1
raw patch · 2 files changed
+18/−10 lines, 2 filesdep ~clientsessiondep ~mtlPVP ok
version bump matches the API change (PVP)
Dependency ranges changed: clientsession, mtl
API changes (from Hackage documentation)
+ Happstack.Server.ClientSession: instance SafeCopy Key
+ Happstack.Server.ClientSession: randomKey :: IO (ByteString, Key)
Files
happstack-clientsession.cabal view
@@ -1,5 +1,5 @@ Name : happstack-clientsession-Version : 7.1.0+Version : 7.1.1 License : BSD3 License-file : COPYING Synopsis : client-side session data@@ -25,9 +25,9 @@ base == 4.*, bytestring == 0.9.*, cereal == 0.3.*,- clientsession == 0.7.*,+ clientsession == 0.8.*, happstack-server == 7.0.*, monad-control == 0.3.*,- mtl == 2.0.*,+ mtl >= 2.0 && < 2.2, safecopy == 0.6.*, transformers-base == 0.4.*
src/Happstack/Server/ClientSession.hs view
@@ -1,17 +1,18 @@ {-# LANGUAGE DeriveDataTypeable, FlexibleContexts, FlexibleInstances, FunctionalDependencies, GeneralizedNewtypeDeriving, MultiParamTypeClasses, RecordWildCards, Rank2Types, ScopedTypeVariables, TypeFamilies, UndecidableInstances #-}+{-# OPTIONS_GHC -fno-warn-orphans #-} {- | This module provides a simple session implementation which stores session data on the client as a cookie value. -The cookie values stored in an encryted cookie to make it more+The cookie values are stored in an encrypted cookie to make it more difficult for users to tamper with the values. However, this does not prevent replay attacks, and should not be seen as a substitute for using HTTPS. Additionally, the cryptography libraries used to encrypt the cookie have never been audited. Hence you are encouraged to think carefully about what data you put in the session data. -Another important thing to realize is clientside sessions do not+Another important thing to realize is client-side sessions do not provide Isolation. Imagine if the browser makes multiple simultaneous requests, which each modify the session data. The browser will submit the same cookie for each the requests, and each request handling@@ -34,7 +35,7 @@ will be submitting multiple POST requests in parallel. Though there is no guarantee. -Alternatively, you can choose to /only/ store data where it is ok if+Alternatively, you can choose to /only/ store data where it is OK if modifications are lost. For example, if the session data contains only a userid and the time of the last request they made, then there is no great loss if some of the modifications are lost, because the access@@ -133,7 +134,7 @@ > simpleHTTP nullConf $ withClientSessionT sessionConf $ routes In a real application you might want to use a @newtype@ wrapper around-'ClientSessionT' to keep your type sigantures sane. An alternative+'ClientSessionT' to keep your type signatures sane. An alternative version of this demo which does that can be found here: <http://patch-tag.com/r/mae/happstack/snapshot/current/content/pretty/happstack-clientsession/demo/demo.hs>@@ -157,6 +158,7 @@ , Key , getKey , getDefaultKey+ , randomKey ) where import Control.Applicative (Applicative, Alternative, optional)@@ -176,14 +178,20 @@ ) import Data.ByteString.Char8 (pack, unpack) import Data.Monoid (Monoid(..))-import Data.SafeCopy (SafeCopy, safeGet, safePut)+import Data.SafeCopy (SafeCopy(getCopy, putCopy), contain, safeGet, safePut) import Data.Serialize (runGet, runPut) import Happstack.Server ( HasRqData, FilterMonad, WebMonad, ServerMonad, Happstack, Response , CookieLife(Session), Cookie(secure,cookiePath, cookieDomain, httpOnly) , lookCookieValue, addCookie, mkCookie, expireCookie )-import Web.ClientSession (Key, getKey, getDefaultKey, decrypt, encryptIO)+import Web.ClientSession (Key, getKey, getDefaultKey, randomKey, decrypt, encryptIO) +import qualified Data.Serialize as S++instance SafeCopy Key where+ getCopy = contain $ S.get+ putCopy = contain . S.put+ ------------------------------------------------------------------------------ -- class ClientSession ------------------------------------------------------------------------------@@ -202,7 +210,7 @@ data SessionConf = SessionConf { sessionCookieName :: String -- ^ Name of the cookie to hold your session data. , sessionCookieLife :: CookieLife -- ^ Lifetime of that cookie.- , sessionKey :: Key -- ^ Encryption key, usually from 'getKey' or 'getDefaultKey'.+ , sessionKey :: Key -- ^ Encryption key, usually from one of 'getKey', 'getDefaultKey' and 'randomKey'. , sessionDomain :: String -- ^ cookie domain , sessionPath :: String -- ^ cookie path , sessionSecure :: Bool -- ^ Only use a session over secure transports.