[Ruby-session-devel-cvs] CVS: ruby-session/src/apache session.rb,1.4,1.5

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

Update of /cvsroot/ruby-session/ruby-session/src/apache
In directory usw-pr-cvs1:/tmp/cvs-serv5376

Modified Files:
	session.rb 
Log Message:
*) I'm not even going to venture to guess what it was that I didn't change,
   but suffice it to say that a lot changed and this is only a snapshot for
   backup purposes only.


Index: session.rb
===================================================================
RCS file: /cvsroot/ruby-session/ruby-session/src/apache/session.rb,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5

--- session.rb	20 Jun 2002 13:46:50 -0000	1.4
+++ session.rb	25 Jun 2002 01:53:45 -0000	1.5
@@ -5,42 +5,281 @@
 # $Id$
 
 require 'session'
+require 'apache/cookie'
+
+class Session
+  public
+
+  # Ugly hack-ish method for extending Session to include various
+  # routines not included in the base class and are special to
+  # Apache::Session
+
+  def apache_session_setup()
+    # Boolean values for where we fetched our session data from
+    @uri_session    = nil
+    @cookie_session = nil
+  end # def apache_session_setup
+end # module Session
+
+
 
 module Apache
+  class Request
+    attr_accessor(:cookie_session, :uri_session, :uri_session_place)
+    def setup_session_state()
+      @cookie_session ||= nil
+      @uri_session ||= nil
+      @uri_session_place ||= nil
+    end # def setup_session_state()
+  end # class Request
+
   class Session
+    NONE = 1
+    OPTIONAL = 2
+    REQUIRED = 3
+    URI_ARG = 4
+    URI_END = 5
+    URI_SESSION = 6
+    URI_START = 7
+
     @@html_session_re_a = nil
     @@html_session_re_form = nil
     @@html_session_re_img = nil
-    @@uri_session_ri = nil
+    @@uri_session_re = nil
+
+
+    def Session.check_access(r)
+      return_code = Apache::DECLINED
+
+      # This is likely going to bite people who have their apache
+      # config screwed up, but, we're going to check/refresh that
+      # people ar visiting the vhost that the server is setup to
+      # handle.  It's done for security reasons... sorry.
+      r.headers_in.each_key do |header|
+	if header.downcase == 'host' and
+	    r.headers_in['Host'].downcase != r.server_name.downcase
+	  r.headers_out['Location'] = r.construct_url(r.unparsed_uri)
+	  return(Apache::HTTP_MOVED_TEMPORARILY)
+	end # if header.downcase
+      end # r.headers_in...
+
+
+      # Setup the session environment now that the request has a URI
+      if ENV.has_key?('COOKIE_SESSION')
+	case ENV['COOKIE_SESSION']
+	when 'required'
+	  r.cookie_session = REQUIRED
+	when 'optional'
+	  r.cookie_session = OPTIONAL
+	when 'none'
+	  r.cookie_sessoin = NONE
+	else
+	  r.cookie_session = OPTIONAL
+	end # case ENV['COOKIE_SESSION']
+      end # if ENV.has_key?('COOKIE_SESSION')
+
+      if ENV.has_key?('URI_SESSION')
+	case ENV['URI_SESSION']
+	when 'required'
+	  r.uri_session = REQUIRED
+	when 'optional'
+	  r.uri_session = OPTIONAL
+	when 'none'
+	  r.uri_session = NONE
+	else
+	  r.uri_session = OPTIONAL
+	end # case ENV['URI_SESSION']
+      end # if ENV.has_key?('URI_SESSION')
+
+      if ENV.has_key?('URI_SESSION_PLACE')
+	case ENV['URI_SESSION_PLACE']
+	when 'arg'
+	  r.uri_session_place = URI_ARG
+	when 'end'
+	  r.uri_session_place = URI_END
+	when 'start'
+	  r.uri_session_place = URI_START
+	else
+	  r.uri_session_place = URI_START
+	end # case ENV['URI_SESSION_PLACE']
+      end # if ENV.has_key?('URI_SESSION_PLACE')
+
+      case r.uri_session
+      when REQUIRED
+	# Send user a 302 with session in URI
+	if $session.session_id.nil?
+	  $session.generate()
+
+	  args = r.args || ''
+	  path_info = r.path_info || ''
+
+	  case r.uri_session_place
+	  when URI_ARG
+	    if r.args.nil?
+	      r.headers_out['Location'] = "#{r.uri}#{path_info}?sess=#{$session.session_id}"
+	    else
+	      r.headers_out['Location'] = "#{r.uri}#{path_info}#{args}&sess=#{$session.session_id}"
+	    end
+	  when URI_END
+	    r.headers_out['Location'] = "#{File.dirname(r.uri)}/sess=#{$session.session_id}/#{File.basename(r.uri)}#{path_info}#{args}"
+	  when URI_START
+	    r.headers_out['Location'] = "/sess=#{$session.session_id}#{r.uri}#{path_info}#{args}"
+	  end # case r.uri_session_place
+	  return(Apache::HTTP_MOVED_TEMPORARILY)
+	end
+	return_code = Apache::OK
+      when OPTIONAL
+	# If session exists, don't destroy it
+	# Pass user along regardless of whether they have one or not
+	return_code = Apache::OK
+      when NONE
+	# Remove any session data found in the env
+	# Pass the user along with an empty session id/data
+	$session = nil
+	return_code = Apache::DECLINED
+      end # case r.uri_session
+
+
+      # XXXX
+      case r.cookie_session
+      when REQUIRED
+
+	# If required and we don't have any cookies, 302 the user to
+	# our URL again, but send out a test cookie in the 302.  If we
+	# catch a cookie in the response, then let the user through.
+	# If the user doesn't allow cookies, and r.uri_session is set
+	# to OPTIONAL, then bounce the user a URI session.  This
+	# allows for cookied sessions by default, but if the user is
+	# smart and has turned off cookies, then we still let them
+	# through the site.
+
+	if $session.session_id.nil?
+	  $session.generate()
+
+	  args = r.args || ''
+	  path_info = r.path_info || ''
+
+	  case r.uri_session_place
+	  when URI_ARG
+	    if r.args.nil?
+	      r.headers_out['Location'] = "#{r.uri}#{path_info}?sess=#{$session.session_id}"
+	    else
+	      r.headers_out['Location'] = "#{r.uri}#{path_info}#{args}&sess=#{$session.session_id}"
+	    end
+	  when URI_END
+	    r.headers_out['Location'] = "#{File.dirname(r.uri)}/sess=#{$session.session_id}/#{File.basename(r.uri)}#{path_info}#{args}"
+	  when URI_START
+	    r.headers_out['Location'] = "/sess=#{$session.session_id}#{r.uri}#{path_info}#{args}"
+	  end # case r.uri_session_place
+	  return(Apache::HTTP_MOVED_TEMPORARILY)
+	end
+	return_code = Apache::OK
+      when OPTIONAL
+	# If session exists, don't destroy it
+	# Pass user along regardless of whether they have one or not
+	return_code = Apache::OK
+      when NONE
+	# Remove any session data found in the env
+	# Pass the user along with an empty session id/data
+	$session = nil
+	return_code = Apache::DECLINED
+      end # case r.uri_session
+
+      $session.load() unless $session.session_id.nil?
+
+      return(return_code)
+    end # def Session.check_access()
+
 
     def Session.cleanup(r)
-      s = nil
+      $session = nil
+      return(Apache::OK)
     end # def Session.cleanup()
 
 
     def Session.init(r)
-      s = Session.new()
+      r.setup_session_state()
+      s = Kernel.const_get('Session').new()
+      s.apache_session_setup()
 
-      # One time init junk
+      # One time init foo
       @@html_session_re_a    ||= Regexp.new('(<\s*[Aa].*?[Hh][Rr][Ee][Ff]\s*=\s*)(([\'\"])((?:[^#]|[Mm][Aa][Ii][Ll][Tt][Oo]).*?[^\?]*?){0,1}(\?.*?){0,1}\3)(.*?>)')
       @@html_session_re_form ||= Regexp.new('(<\s*[Ff][Oo][Rr][Mm].*?[Aa][Cc][Tt][Ii][Oo][Nn]\s*=\s*)(([\'"])([^\?]*?){0,1}(\?.*?){0,1}\3)(.*?>)')
       @@html_session_re_img  ||= Regexp.new('(<\s*[Ii][Mm][Gg].*?[Ss][Rr][Cc]\s*=\s*)(([\'"])([^\?]*?){0,1}(\?.*?){0,1}\3)(.*?>)')
-      @@uri_session_re       ||= Regexp.new('/sess=([A-Fa-f0-9]{32})/')
+      @@uri_session_re       ||= Regexp.new('([\/\?\&])sess=([A-Fa-f0-9]{32})([\&\/]?)')
+
+      return(Apache::DECLINED)
     end # def Session.init()
 
 
+    def Session.rewrite_output(r)
+      if !$session.session_id.nil? and r.uri_session != NONE
+	# Rewrite the HTML
+	#
+	# Need to make sure that we only rewrite URLs for the current
+	# VHOST (ie: relative and fully qualified)
+
+	return(Apache::OK)
+      else
+	return(Apache::DECLINED)
+      end
+    end # def Session.rewrite_output()
+
+
+    def html_sessionize_str(str, re)
+      str_orig = str.dup
+
+      while (md = re.match(str_orig)) do
+	tag = md.to_a[1] + md.to_a[3] + md.to_a[4]
+
+	if md.to_a[4].index('mailto') == 0
+	  tag = md.to_a[0]
+	elsif md.to_a[5]
+	  if md.to_a[5].index(Regexp.new('[\/\?\+]sess='))
+	    tag <<= md.to_a[5] + md.to_a[3] + md.to_a[6]
+	  else
+	    tag <<= md.to_a[5] + '+sess=' + @session_id + md.to_a[3] + md.to_a[6]
+	  end
+	else 
+	  tag <<= '?sess=' + @session_id + md.to_a[3] + md.to_a[6]
+	end
+
+	str.gsub!(Regexp.escape(md.to_a[0]), tag)
+	str_orig = md.post_match
+      end # while loop
+
+      return(tmpl)
+    end # def sessionize_str()
+
+
+    # Translate URI is responsible for nabbing the session out of the URI
+    # or out of the cookie.
     def Session.translate_uri(r)
-      md = @@uri_session_re.match(r.uri)
+      md = @@uri_session_re.match(r.unparsed_uri)
       if !md.nil?
-	$session.session_id = md[1]
-	r.uri = uri.sub(md[0], '/')
+	$session.uri_session = true
+	$session.session_id = md[2]
+	case md[1]
+	when '/'
+	  r.uri = r.uri.sub(Regexp.escape(md[0]), md[1])
+	when '?'
+	  if md[3].nil?
+	    r.args = r.args.sub(Regexp.escape(md[0]), '')
+	  else
+	    r.args = r.args.sub(Regexp.escape(md[0]), md[1])
+	  end
+	when  '&'
+	  if md[3].nil?
+	    r.args = r.args.sub(Regexp.escape(md[0]), '')
+	  else
+	    r.args = r.args.sub(Regexp.escape(md[0]), md[1])
+	  end
+	end # case md[1]
 
-	$session.generate() unless $session.load()
-	r.notes['session_id'] = $session.session_id
+	# $session.generate() unless $session.load()
       else
 	# No Session or invalid session found in the URI
-	#
-	# XXX Need to incorporate checking for cookies here
+	$session.uri_session = false
       end # if md.nil?
 
       # Let another handler map this request to a file



